Home Malware Programs Mac Malware AppleJeus


Posted: December 10, 2019

AppleJeus is a Trojan downloader that facilitates backdoor attacks by downloading other threats and, possibly, additional commands. Its distribution uses fake company identities and associated financial software for infecting victims' systems. Users should research companies before downloading their products as a safeguard and use compatible anti-malware products for deleting AppleJeus as it's detected.

Trading Your Security Away with Crypto-Trading Software

The Lazarus Group, a collection of infrastructure and technique-sharing hacker entities based in North Korea, is most well-known for its espionage-related antics. It also compromises targets for profiteering as a 'side gig.' The compromise of a cryptocurrency exchange in 2018 is insightful, especially, granting crucial details on how Lazarus Group operates, as well as airing a newfound macOS threat. Since the Lazarus Group uses Windows-native Trojans and related hacking tools ordinarily, AppleJeus represents a bite of an entirely different apple.

AppleJeus's distribution model is, as usual, the most exciting portion of its campaign, rather than its payload and features. The Lazarus Group established a shell company on a domain paid for in cryptocurrency, complete with believable, falsified identity information and credentials like digital signatures. The 'company,' Celas Limited, offered downloads of a Celas Trade Pro application – a cryptocurrency-trading program for Windows and macOS.

Both versions of the software use a corrupted updater component, in the macOS's case, AppleJeus. The victims acquire a totally-believable trading application but also opens up their system to AppleJeus's commands and payloads, which, to date, include FALLCHILL. FALLCHILL is a backdoor Trojan that can control memory processes, execute commands, collected data, wipe files, remove itself, and perform other operations that malware experts associate with high-level threats with an espionage focus.

The New Crop from the Trojan Tree

To the surprise of no one in the cyber-security industry, the Lazarus Group remains highly active in 2019. A deep code dive into one of their currently-in-circulation Trojans shows that AppleJeus might be alive, and getting updates. A new shell company, JMT Trading, is offering similarly-threatening financial software with techniques almost identical to that of old AppleJeus attacks. However, this macOS program includes support for acting on C&C-transmitted commands and can function as a backdoor, all by itself – which may make a new version of AppleJeus into a 'cross-genre' Trojan.

Average workers can't undertake investigations into company addresses and transactional histories regularly, which would reveal the fraud involved in these tactics. However, they can avoid downloading unknown software without good reviews from third parties and stay with download resources that they know uphold bare-minimum security standards. They also should be wary of installers asking for admin privileges, as AppleJeus does, which is a common sign of a disguised Trojan's installation.

Outdated security solutions struggle with flagging this Trojan. Always let your anti-malware services install their most recent database updates so that detecting and removing AppleJeus and other, current threats, becomes trivially easy.

This baby's first step into macOS hacking is a frighteningly large one. The psychological components in the AppleJeus campaign are at least as potent as its programming, which remains threatening to any company that gets itself infected.