Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
2018-08-23 • Kaspersky •
Kaspersky describes Operation AppleJeus, a Lazarus campaign that targeted a cryptocurrency exchange through a trojanized Celas Trade Pro cryptocurrency trading application. The victim installed the application from a legitimate-looking website after receiving a download link by email, and the Windows installer launched a signed Updater.exe that collected host and process information before contacting www.celasllc[.]com/checkupdate.php. The updater disguised encrypted data transfer as GIF-like upload content, used hardcoded XOR and RC4 keys, and downloaded an additional payload when the server returned HTTP 200. The operation also included a macOS version with a hidden autoupdater launched through a dot-prefixed plist, making this notable as one of the first observed Lazarus malware operations against macOS. The report matters because it shows Lazarus using supply-chain-style software trojanization against cryptocurrency targets and expanding beyond Windows-only tooling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | celasllc.com | 2018-08-15 | 2024-03-05 |
| HASH | bbbcf6da5a4c352e8846bf91c3358d5c | 2018-08-23 | 2021-12-21 |
| HASH | 0bdb652bbe15942e866083f29fb6dd62 | 2018-08-23 | 2021-12-21 |
| HASH | d7089e6bc8bd137a7241a7ad297f975d | 2018-08-23 | 2021-12-21 |
| IPv4 | 185.142.236.213 | 2018-08-23 | 2021-02-17 |
| HASH | 48ded52752de9f9b73c6bf9ae81cb429 | 2018-08-23 | 2020-01-08 |
| HASH | 6b061267c7ddeb160368128a933d38be | 2018-08-23 | 2018-08-23 |
| HASH | 94dfcabd8ba5ca94828cd5a88d6ed488 | 2018-08-23 | 2018-08-23 |
| HASH | abec84286df80704b823e698199d89f7 | 2018-08-23 | 2018-08-23 |
| HASH | 56f5088f488e50999ee6cced1f5dd6aa | 2018-08-23 | 2018-08-23 |
| HASH | 5ad7d35f0617595f26d565a3b7ebc6d0 | 2018-08-23 | 2018-08-23 |
| HASH | cd6796f324ecb7cf34bc9bc38ce4e649 | 2018-08-23 | 2018-08-23 |
| HASH | cafda7b3e9a4f86d4bd005075040a712 | 2018-08-23 | 2018-08-23 |
| HASH | 6cb34af551b3fb63df6c9b86900cf044 | 2018-08-23 | 2018-08-23 |
| HASH | 9e740241ca2acdc79f30ad2c3f50990a | 2018-08-23 | 2018-08-23 |
| HASH | 81c3a3c5a0129477b59397173fdc0b01 | 2018-08-23 | 2018-08-23 |
| HASH | ffae703a1e327380d85880b9037a0aeb | 2018-08-23 | 2018-08-23 |
| HASH | 4126e1f34cf282c354e17587bb6e8da3 | 2018-08-23 | 2018-08-23 |
| HASH | e1ed584a672cab33af29114576ad6cce | 2018-08-23 | 2018-08-23 |
| HASH | 0a15a33844c9df11f12a4889ae7b7e4b | 2018-08-23 | 2018-08-23 |
| HASH | c501ea6c56ba9133c3c26a7d5ed4ce49 | 2018-08-23 | 2018-08-23 |
| HASH | 14b6d24873f19332701177208f85e776 | 2018-08-23 | 2018-08-23 |
| HASH | cea1a63656fb199dd5ab90528188e87c | 2018-08-23 | 2018-08-23 |
| HASH | 21694c8db6234df74102e8b5994b7627 | 2018-08-23 | 2018-08-23 |
| HASH | d8484469587756ce0d10a09027044808 | 2018-08-23 | 2018-08-23 |
| [email protected] | 2018-08-23 | 2018-08-23 | |
| URL | https://www.domains4bitcoins.co… | 2018-08-23 | 2018-08-23 |
| URL | https://libertyvps.net/ | 2018-08-23 | 2018-08-23 |
| URL | https://www.changeip.com/ | 2018-08-23 | 2018-08-23 |
| DOMAIN | libertyvps.net | 2018-08-23 | 2018-08-23 |
| IPv4 | 80.82.64.91 | 2018-08-23 | 2018-08-23 |
| IPv4 | 185.142.239.173 | 2018-08-23 | 2018-08-23 |
| IPv4 | 185.142.236.226 | 2018-08-23 | 2018-08-23 |
| IPv4 | 196.38.48.121 | 2018-08-23 | 2018-08-23 |
| HASH | b054a7382adf6b774b15f52d971f3799 | 2018-08-15 | 2018-08-23 |
| URL | https://www.celasllc.com/checku… | 2018-08-15 | 2018-08-23 |