This article is contributed. See the original author and article here.

Malware Analysis Report

10322463.r2.v1

2021-02-12

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.

There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.

The U.S. Government has identified AppleJeus malware version—JMT Trading—and associated IOCs used by the North Korean government in AppleJeus operations.

JMT Trading malware, discovered by a cybersecurity company in October 2019, is a legitimate-looking cryptocurrency trading software that is marketed and distributed by a company and website—JMT Trading and jmttrading[.]org, respectively—that appear legitimate.

For a downloadable copy of IOCs, see: MAR-10322463-2.v1.stix.

Submitted Files (6)

07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 (jmttrader.msi)

081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 (JMTTrader.exe)

4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 (jmttrader_mac.dmg)

7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea (JMTTrader)

9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 (CrashReporter.exe)

e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 (CrashReporter)

Domains (2)

beastgoc.com

jmttrading.org

Findings

07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542

Tags

backdoordroppertrojan

Details
Name jmttrader.msi
Size 11524608 bytes
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {A2814B39-244E-4899-81F9-F995B8DC1A80}, Number of Words: 2, Subject: JMTTrader, Author: JMT Trading Group LLC, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install JMTTrader., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5 c4aa6f87124320eadc342d2fe7364896
SHA1 4fcc84583126689d03acf69b9fca5632f7d44752
SHA256 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542
SHA512 51b34ae0a0e9252705206f2d9e87136706f51a70cc110e8493ff1266303ae33f09c1e89f329ae8f776a610c88f155e02afeb63a8bc7762ce307143fdff944172
ssdeep 196608:p/5qF8q187MZjfZjowfMjVS9Qkj6YotsEXw6xws8CV/KFmpZ3zyl:B5qCyBfRfMjVS4RXw6EFF
Entropy 7.962353
Antivirus
Ahnlab MSI/Dropper
Avira TR/Agent.rhbwd
Comodo Malware
Ikarus Trojan.Win32.Agent
Microsoft Security Essentials Backdoor:Win32/Stealer.A!MSR
NetGate Trojan.Win32.Malware
Symantec Trojan.Gen.MBT
TrendMicro Backdoo.80EE6F49
TrendMicro House Call Backdoo.80EE6F49
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
07c38ca1e0… Downloaded_From jmttrading.org
07c38ca1e0… Contains 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6
07c38ca1e0… Contains 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
Description

This Windows program from the JMTTrade GitHub site is a Windows MSI Installer. The installer looks legitimate and previously had a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for “jmttrading.org.” The installer asks for administrative privileges to run and while installing “JMTTrader.exe” (081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6) in the “C:Program Files (x86)JMTTrader” folder, it also installs “CrashReporter.exe” (9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641) in the “C:Users<username>AppDataRoamingJMTTrader” folder. Immediately after installation, the installer launches “CrashReporter.exe” with the “Maintain” parameter.

Screenshots