Cyber crooks take an increasing interest in creating threats targeting devices running OSX. One of the newest threats of this type that cybersecurity experts have spot-ted is called AppleJeus. The AppleJeus threat is a Trojan backdoor with several intriguing features. The authors of the AppleJeus Trojan are propagating it using a bogus digital asset currency exchanges. Any user that would like to use the service is urged to download a digital asset trading platform. However, as soon as the users down-load and install the file, the AppleJeus Trojan backdoor will be planted on their systems silently. Apart from the variant of this threat that targets Mac computers, the au-thors also have developed a copy that goes after Win-dows systems too. The Windows variant of this threat does not possess any qualities that are too impressive, but the OSX copy has some curious aspects, which are worth exploring.
A Corrupted File is Hosted on GitHub
To trick the users and compromise their systems, the Ap-pleJeus Trojan backdoor is masked as a bogus exchange named 'Celas' or 'JMT Trading.' Both of these services are made up and are not linked to any genuine companies or businesses. The creators of the AppleJeus backdoor have opted to host the corrupted file of the threat on the legitimate platform GitHub. The name of the file is 'JMT-Trader.pkg.' The fact that the authors of this threat are hosting this file on a reputable platform like GitHub may trick some users into thinking that there is nothing fishy going on and the service is genuine.
To gain persistence on the messed up host, the Ap-pleJeus backdoor will deploy a collection of files using an installation script and then spawn a new launch daemon that will make sure that the threat is running every time the computer is rebooted. Admin privileges are required for the completion of this step of the attack, but this is no problem for the authors of the threat. The AppleJeus Tro-jan backdoor will present the users with a prompt that urges them to fill in their administrator credentials and give the green light to the installation.
Despite the short list of commands that the threat can ex-ecute, they are more than enough for the attackers to gain almost complete control over the compromised machine. The AppleJeus backdoor can:
- Upload files to the infected host.
- Execute files on the infected host.
- Execute remote commands on the infected host.
Just based on the complex propagation method em-ployed by the attackers, it is safe to assume that they are very experienced in the field of cybercrime. This led cy-bersecurity researchers to believe that there may be an APT (Advanced Persistent Threat) behind this attack. Upon studying the AppleJeus backdoor Trojan, experts found some close parallels between this threat and other strains of malware that have been associated with the in-famous North Korean ATP called Lazarus. Threats re-leased by the Lazarus APT are highly potent and threaten-ing. This is why you should certainly consider investing in a reputable anti-malware application that will keep your system secure.