Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats AppleJeus
AppleJeus
Description
AppleJeus is a sophisticated macOS trojan attributed to North Korea's state-sponsored APT Lazarus Group. This malware has been used for years to infiltrate cryptocurrency exchanges and financial service companies by masquerading as legitimate applications. AppleJeus enables unauthorized access, facilitates data exfiltration, and can lead to significant financial losses.
Variant Names
N/A
Alternative Names
- UnionCryptoTrader
- Nukesped
- Lazarus
Country of origin
- North Korea
Symptoms
You might observe the following artifacts associated with this threat:
- Installation of unrecognized cryptocurrency trading applications from unfamiliar sources.
- Unexpected network connections to unknown servers.
- Unusual system behavior or unexpected financial transactions.
- Detection of another malware, FALLCHILL RAT.
Technical Breakdown
AppleJeus is typically distributed through websites that appear to host legitimate cryptocurrency trading platforms. Unsuspecting users are tricked into downloading and installing these weaponized application. Upon execution, the malware hs the capabilities to perform the following actions:
- Establish Persistence: The malware installs components that ensure it remains active on the system across reboots.
- Communicates with Command and Control (C2) Servers: AppleJeus connects to attacker-controlled servers to exfiltrate data and download additional payloads.
- Exfiltrates Data: The malware can collect and transmit sensitive information, including login credentials and financial data.
Multiple versions of AppleJeus have been identified, each with varying levels of sophistication and infiltration techniques.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Learn more about it
DPRK DriverEasy & ChromeUpdate Deep Dive
AppleJeus is a sophisticated macOS trojan attributed to North Korea's state-sponsored APT Lazarus Group. This malware has been used for years to infiltrate cryptocurrency exchanges and financial service companies by masquerading as legitimate applications. AppleJeus enables unauthorized access, facilitates data exfiltration, and can lead to significant financial losses.
Read moreRelated
Bundlore is an extremely prevalent adware that targets macOS systems by bundling unwanted applications with legitimate software installers. It often masquerades as popular software updaters and installers, deceiving users into installing additional unwanted programs. Once installed, Bundlore injects advertisements into web browsers, redirects user searches, and collects sensitive browsing data. Bundlore is sometimes dropped by macOS malware Shlayer.
EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.
Shlayer is a Trojan downloader that primarily targets macOS systems, known for distributing various types of adware, including Bundlore. It is distributed through fake Flash Player updates and deceptive websites, tricking users into installing unwanted software. Once executed, Shlayer connects to command-and-control servers to download additional payloads.
Manage and secure your Apple devices at scale.
