Analysis Report

MAR-10322463-1.v1 - AppleJeus: Celas Trade Pro

Last Revised
Alert Code
AR21-048A

body#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size: 15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise { width: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size: 18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold; margin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; } div#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width: 780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px; background-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td, .cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color: #f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap: break-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align: center; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width: auto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; } div.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position: absolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px solid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag { border-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning { background: #ffdead; }

Malware Analysis Report
10322463.r1.v1
2021-02-12

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.

There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.

The U.S. Government has identified AppleJeus malware version—Celas Trade Pro—and associated IOCs used by the North Korean government in AppleJeus operations.

In August 2018, open source reporting revealed information about a Trojanized version of a legitimate cryptocurrency trading application on a victim’s computer (Note: identity of the victim was not disclosed). The malicious program, known as Celas Trade Pro, is a modified version of the benign QT Bitcoin Trader application. This incident led to the victim company being infected with the malware known to the U.S. Government as FALLCHILL, a North Korean remote administration tool (RAT). According to CISA, FALLCHILL “is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDENCOBRA malware. Because of this, additional HIDDENCOBRA malware may be present on systems compromised with FALLCHILL."

Celas Trade Pro had been recommended to the victim company via a phishing email from a company known as Celas Limited. The email provided a link to the Celas Limited website (https://www[.]celasllc.com), where the user could download a Windows or MacOS version of the Celas Trade Pro software.

 

For a downloadable copy of IOCs, see: MAR-10322463-1.v1.stix.

Submitted Files (6)

5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0 (Updater)

6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69 (celastradepro_win_installer_1....)

a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765 (CelasTradePro.exe)

bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb (Updater.exe)

c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70 (CelasTradePro)

d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04 (celastradepro_mac_installer_1....)

Domains (1)

celasllc.com

Findings

6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69

Tags

droppertrojan

Details
Name celastradepro_win_installer_1.00.00.msi
Size 9827840 bytes
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {A3B40756-2C9C-4167-9296-5DD2DAF7973E}, Number of Words: 2, Subject: CelasTradePro, Author: CELAS LLC, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install CelasTradePro., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5 9e740241ca2acdc79f30ad2c3f50990a
SHA1 0c5e4cec03d2eea2b1dd5356fe05de64a0278cd6
SHA256 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
SHA512 dd02c1e717c2556b64d261f04c5a8add7dcc2f3ad267507d883ba68c7e4cf827136edce517aab055dfa02d8569a5779eb1fc24fb0b7c6bb3447d45e2802726e5
ssdeep 196608:s80YaAWH7ICcfRLdq81w920W+ZP6g2DsjW1TIZfxgNu1DZNJQfIYizTrh50:sPUWHECcfBdR1w9NWqSg2DsK1TmfxgiD
Entropy 7.973409
Antivirus
Ahnlab MSI/Installer
Comodo Malware
Microsoft Security Essentials Trojan:Win32/Letdater
Quick Heal OLE.MSI.Agent.39994.GC
Sophos Troj/NukeSped-X
Symantec Trojan.Dropper
TrendMicro Trojan.BC27BA50
TrendMicro House Call Trojan.BC27BA50
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
6ee19085ad... Downloaded_From celasllc.com
6ee19085ad... Contains a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765
6ee19085ad... Contains bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb
Description

This Windows program from the Celas LLC site is a Windows MSI Installer. The installer looks legitimate and previously had a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate purchased by the same user as the Secure Sockets Layer (SSL) certificate for "celasllc.com." The installer asks for administrative privileges to run and while installing "CelasTradePro.exe" (a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765) it also installs "Updater.exe" in the “C:\Program Files (x86)\CelasTradePro” folder. Immediately after installation, the installer launches "Updater.exe" (bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) with the “CheckUpdate” parameter.

Screenshots

Figure 1 - Screenshot of the CelasTradePro installation.

Figure 1 - Screenshot of the CelasTradePro installation.

celasllc.com

Tags

command-and-control

URLs
  • celasllc.com/checkupdate.php
Whois

Whois for celasllc.com had the following information in August 2018:
IP Address: 185.142.236.213
Registrant Name: John Broox
Registrant Organization:
Registrant Street: 2141 S Archer Ave
Registrant City: Chicago
Registrant State/Province: Illinois
Registrant Postal Code: 60601
Registrant Country: US
Registrant Phone: +1.8133205751
Registrant Email: johnbroox200@gmail.com
Name server: 1a7ea920.bitcoin-dns.hosting
Name Server: a8332f3a.bitcoin-dns.hosting
Name Server: ad636824.bitcoin-dns.hosting
Name Server: c358ea2d.bitcoin-dns.hosting
Created: May 29, 2018
Expires: May 29, 2019
Updated: Sep 9, 2018

Relationships
celasllc.com Downloaded_To 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
celasllc.com Downloaded_To d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04
Description

The Celas Limited website had a professional appearance, and at the time had a valid Secure Sockets Layer (SSL) certificate issued by Comodo (now Sectigo). The SSL certificate was “Domain Control Validated," which is a weak security verification level for a webserver. Typically, this is a fully automated verification where the certificate requester only needs to demonstrate control over the domain name (i.e. with an email like admin[@]celasllc.com). This type of certificate necessitates no validation of the identity of the website’s owner, nor the existence of the actual business. At the time of analysis, the domain celasllc.com resolved to IP address 185.142.236.213, which belongs to the Netherlands Amsterdam Blackhost Ltd ISP, AS174, Cogent Communications.

Screenshots

Figure 2 - Screenshot of the Celas LLC website.

Figure 2 - Screenshot of the Celas LLC website.

a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765

Tags

trojan

Details
Name CelasTradePro.exe
Size 2517160 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 45eb8f06c5f732e8dde8e9318d8b2392
SHA1 d4583cba9034a3068f8106b5013d37d7bdd46f38
SHA256 a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765
SHA512 6536a7b0767828bb95f6f33a4e465fec48fc474b4f919bc878e02966f82f900fbaa6e2f9d7bc1dffa28bbe35f94ee6b9a570902843dfd35a8c9d1405ac130039
ssdeep 49152:TrxfUhMyK0lq3Z8SC8Q1ZZmpwi0qEdz+7WGSVOr:PxfU60lqiV1UL
Entropy 6.852284
Antivirus
Sophos Mal/BadCert-Gen
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-06-17 20:17:48-04:00
Import Hash 33ef6aff05b44076249d6ed27e247e11
Company Name Celas LLC
File Description Celas Bitcoin Trader
Internal Name Celas Bitcoin Trader
Legal Copyright Copyright (C) 2018 CELAS LLC
Original Filename CelasTradePro.exe
Product Name CelasTradePro
Product Version 1.0.0.0
PE Sections
MD5 Name Raw Size Entropy
724cd82da1ca0a93b9d171923d149ce9 header 1024 2.738571
4909abcdca48f01dd7d44d7b6035deef .text 1152000 6.244241
88f7c98251537ffd1f94935b8c134b9a .rdata 1076224 6.842683
0e102f466e9e6893970e2fd96c8b3fce .data 9728 4.517533
87a4b3b57b1b37d19870a4f1c9577374 .rsrc 110592 3.737298
a6d8c9855dc4334bb35c95a1e0518a9d .reloc 162304 6.385957
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
a84ed8ce71... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
Description

This file is a 32-bit Windows executable contained within the Windows MSI Installer "celastradepro_win_installer_1.00.00.msi." When executed, "CelasTradePro.exe" asks for the user’s exchange and then loads a legitimate cryptocurrency trading platform with no signs of malicious activity.

CelasTradePro is extremely similar in appearance to a version of an open source cryptocurrency trading platform available around the same timeframe known as QT Bitcoin Trader (screenshots 3 and 4). In addition to similar appearance, many strings found in CelasTradePro have QT Bitcoin Trader references and parameters being set to “Celas Trade Pro” including but not limited to:

--Begin similarities--
String_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro
QtBitcoinTrader
String_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro is a free Open Source project developed on pure C++ Qt and OpenSSL.
julyighor@gmail.com (note: Ighor July is one of the developers of QT Bitcoin Trader)
--End similarities--

The strings also reference the name “John Broox” as the author of CelasTradePro.

While the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for Windows is not available for download as an MSI, but only as a Windows portable executable. This is a singular file named "QtBitcoinTrader.exe" and does not install or run any additional programs. The CelasTradePro MSI contains "CelasTradePro.exe," the modified version of QT Bitcoin Trader, as well as the additional "Updater.exe" (bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) executable not included with the original QT Bitcoin Trader.

Screenshots

Figure 3 - Screenshot of the CelasTradePro application.

Figure 3 - Screenshot of the CelasTradePro application.

Figure 4 - Screenshot of the QT Bitcoin Trader application.

Figure 4 - Screenshot of the QT Bitcoin Trader application.

bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb

Tags

downloaderloaderspywaretrojan

Details
Name Updater.exe
Size 173224 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b054a7382adf6b774b15f52d971f3799
SHA1 b4d43cd2d81d17dec523915c0fc61b4b29e62c58
SHA256 bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb
SHA512 7c307a2ed0e6e483a0f3e7161ff0433e6bd498ab0b14b5359a938554999b076c4143a766b96c05dc0b949948cac97d81534ceb1300d02276ec90e2c1162383a9
ssdeep 1536:XN9cIi98pUYi7tIP+arPg1ssvpoOJwtFT6BxdYIHs/5mBS0LiF:99clzLPPBoOJwWBxdYlxySr
Entropy 4.980364
Antivirus
Ahnlab Malware/Win32.Generic
Antiy Trojan[Downloader]/Win32.Agent
Avira TR/Dldr.Agent.jlhae
BitDefender Trojan.GenericKD.40404380
ClamAV Win.Spyware.Fallchill-6663754-2
Comodo Malware
ESET Win32/TrojanDownloader.NukeSped.E trojan
Emsisoft Trojan.GenericKD.40404380 (B)
Ikarus Trojan-Downloader.Agent
K7 Riskware ( 0040eff71 )
Lavasoft Trojan.GenericKD.40404380
McAfee Generic trojan.d
Microsoft Security Essentials Trojan:Win32/Letdater
NANOAV Trojan.Win32.Letscool.fflqoo
Sophos Troj/NukeSped-Y
Symantec Trojan Horse
Systweak trojan.agent
TrendMicro Trojan.BC27BA50
TrendMicro House Call Trojan.BC27BA50
VirusBlokAda TrojanDownloader.Agent
Zillya! Downloader.Agent.Win32.365188
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-06-15 06:56:27-04:00
Import Hash b25cd98650edb58a9a4d00af1d17453d
PE Sections
MD5 Name Raw Size Entropy
2c879beba343ce37c06647fb37be983e header 1024 2.572659
4da943f482631027a2152c6f336055af .text 38912 6.556738
0b7c67c806051953aa6addc2771a20eb .rdata 10240 4.875590
49f73fd786fe23fbc68635fbf76b63a3 .data 4096 2.272665
7a96caced6b43d719b90f6e332ad12f3 .rsrc 109568 3.715817
8aacf0cff202d7d74c04f938df61e45f .reloc 4096 4.127553
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
bdff852398... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
Description

This file is a 32-bit Windows executable contained within the Windows MSI Installer "celastradepro_win_installer_1.00.00.msi." "Updater.exe" has the same program icon as CelasTradePro. Updater.exe was likely developed under the name “jeus” based on the build path “Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb” found in the code (partial origin of the name AppleJeus).

"Updater.exe" collects victim host information and sends it back to the server. At launch the malware first checks for the “CheckUpdate” parameter and if not found, exits the program. This is likely to evade detection in a sandbox environment. If the "CheckUpdate" parameter is found, the malware creates a unique identifier for the system following the format “%09d-%05d." It then collects process lists excluding the “System” processes and queries the registry at “HKLM\SOFTWARE\Microsoft\Window NT\CurrentVersion” for the following values:

--Begin values--
ProductName (Windows OS Version)
CurrentBuildNumber (Windows 10 build version)
ReleaseID (Windows 10 version information)
UBR (Sub version of Windows 10 build)
BuildBranch (Windows 10 build branch information)
--End values--

After collecting this information, "Updater.exe" encrypts the data with the hard-coded XOR key “Moz&Wie;#t/6T!2y," prepends the encrypted data with “GIF89a” (image header) and sends the data to "celasllc.com/checkupdate.php."

The malware also uses a hard-coded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0” and multipart form data separator “jeus." If the malware receives a response with HTTP code 200, it will decode the base64 payload, then decrypt the result using the hard-coded RC4 decryption key “W29ab@ad%Df324V$Yd." The raw data is then written to a file prepended with the “MAX_PATHjeusD” string.

Screenshots

Figure 5 - Screenshot of the "CheckUpdate" parameter verification in "Updater.exe."

Figure 5 - Screenshot of the "CheckUpdate" parameter verification in "Updater.exe."