Malware Analysis Report
10322463.r4.v1
2021-04-08
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.
This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of Lazarus Group Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.
There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.
The U.S. Government has identified AppleJeus malware version—Kupay Wallet—and associated IOCs used by the North Korean government in AppleJeus operations.
Kupay Wallet, discovered in March 2020, is a legitimate-looking cryptocurrency trading software that is marketed and distributed by a company and website—Kupay Service and kupaywallet[.]com, respectively—that appear legitimate. Some information has been redacted from this report to preserve victim anonymity.
For a downloadable copy of IOCs, see: MAR-10322463-4.v1.stix.
Submitted Files (7)
0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba (kupay_upgrade)
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 (Kupay.exe)
55eacc25e9eaba5d3f04b6cbcac2e16879b83d967596d645e5ec4b8f42656ef9 (Kupay.dmg)
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8 (Kupay.msi)
91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd (kupayupdate_stage2)
a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492 (kupay)
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d (KupayUpgrade.exe)
Domains (2)
kupaywallet.com
levelframeblog.com
Findings
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8
Tags
dropper
Details
| Name |
Kupay.msi |
|---|
| Size |
143568384 bytes |
|---|
| Type |
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {9DCFF3DB-C353-460A-B325-AF38D7F3E338}, Number of Words: 2, Subject: Kupay, Author: Kupay Service, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install Kupay., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
|---|
| MD5 |
afdf3dd62dafd401be4bbeca65b42635 |
|---|
| SHA1 |
8b45d12ed8c058ea0ce3122da9a82b9fb045d6a3 |
|---|
| SHA256 |
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8 |
|---|
| SHA512 |
bdc7a8904ad154046ade472442810c0007e5494665b429d847eef74b05567422600dd543bd8ae632128cd8def853926f2a86eab0e7d91a1d4451489ea2262b55 |
|---|
| ssdeep |
3145728:M8yVXZLQX6rw3cJRGmMEuwRNiPTdy68L04oIRHndNQGOx:9yVXZfrw3CGtw3iPTdytmIRHdlw |
|---|
| Entropy |
7.997013 |
|---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
| 6b945159b4... |
Contains |
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 |
| 6b945159b4... |
Contains |
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d |
| 6b945159b4... |
Downloaded_By |
kupaywallet.com |
Description
This Windows program from the Kupay Service site is a Windows MSI Installer with the file name Kupay[GUID].msi. The installer was hosted at hxxps[:]kupaywallet.com/product/[GUID]. The [GUID] is a unique file that is crated for a specific victim and is being withheld to preserve the identity of the intended recipient.
The installer looks legitimate and will install the "Kupay.exe" (1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6) file in the “C:\Program Files (x86)\Kupay” folder. It also installs "KupayUpgrade.exe" (fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d) in the “C:\Users\<username>\AppData\Roaming\KupaySupport” folder. Immediately after installation, the installer launches the "KupayUpgrade.exe" binary.
Screenshots
Figure 1 - Screenshot of "Kupay.msi" installation.
kupaywallet.com
Tags
command-and-control
URLs
- kupaywallet.com/kupay_update.php
- kupaywallet.com/product/
Whois
Whois for kupaywallet.com had the following information:
Registrar: NAMECHEAP INC
Creation Date: 2020-02-21
Registrar Registration Expiration Date: 2021-02-21
Relationships
| kupaywallet.com |
Downloaded |
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8 |
| kupaywallet.com |
Downloaded |
55eacc25e9eaba5d3f04b6cbcac2e16879b83d967596d645e5ec4b8f42656ef9 |
| kupaywallet.com |
Connected_From |
0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba |
Description
The domain kupaywallet.com had a legitimately signed Sectigo Secure Sockets Layer (SSL) certificate, which was “Domain Control Validated” just as all previous AppleJeus domain certificates. Investigation revealed the point of contact listed for verification was admin[@]kupaywallet.com. No other contact information was available as the administrative or technical contact for the kupaywallet.com domain.
The domain is registered with NameCheap at the IP address 104.200.67.96 with ASN 8100.
In addition to the site kupaywallet.com, a Twitter account @kupayservice is associated with the company. This account tweets out general cryptocurrency articles and information and replies to various related tweets. The first tweet was on May 23, 2019, while the last was on July 11, 2019. Twitter lists the joined date for @kupayservice to be October 2018.
Screenshots
Figure 2 - Screenshot of KupayService Twitter account.
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6
Tags
trojan
Details
| Name |
Kupay.exe |
|---|
| Size |
97686016 bytes |
|---|
| Type |
PE32+ executable (GUI) x86-64, for MS Windows |
|---|
| MD5 |
668d696582f9c00029e2e8253470e9db |
|---|
| SHA1 |
e83ebe43da7bbfb9c95d34163383d1b3926e663f |
|---|
| SHA256 |
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 |
|---|
| SHA512 |
0b370636ea2b7211d691a3bfcfc9017cb12df6874becb9b6334ca735bc325f59c50e99fc3b57c8db2d265e0c631651c7280109ffdbb3b48b7d3709d908228de6 |
|---|
| ssdeep |
1572864:MdJvugr82jf19dUM/1T8+1VJRukUhkmG:Mdhg6Pm |
|---|
| Entropy |
6.674838 |
|---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
| 97 |
78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f |
|---|
PE Metadata
| Compile Date |
2019-12-16 00:00:00-05:00 |
|---|
| Import Hash |
bb1d46df79ee2045d0bc2529cf6c7458 |
|---|
| Company Name |
BitPay |
|---|
| File Description |
Kupay |
|---|
| Internal Name |
Kupay |
|---|
| Legal Copyright |
Copyright © 2020 BitPay |
|---|
| Product Name |
Kupay |
|---|
| Product Version |
9.1.0.0 |
|---|
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
|---|
| 32b731864b0ff3d1c427c97d582e7897 |
header |
1024 |
2.990247 |
| 36430f041d87935dcb34adde2e7d625d |
.text |
78234112 |
6.471421 |
| ee7e02e8e2958ff79f25c8fd8b7d33e5 |
.rdata |
15596032 |
6.376243 |
| 65c59271f5c2bab26a7d0838e9f04bcf |
.data |
262144 |
3.484705 |
| 00406f1d9355757d80cbf48242fdf344 |
.pdata |
2768896 |
6.805097 |
| 6a6a225bfe091e65d3f82654179fbc50 |
.00cfg |
512 |
0.195869 |
| 786f587a97128c401be15c90fe059b72 |
.rodata |
6144 |
4.219562 |
| 9efa43af7b1faae15ffbd428d0485819 |
.tls |
512 |
0.136464 |
| 60d3ea61d541c9be2e845d2787fb9574 |
CPADinfo |
512 |
0.122276 |
| bf619eac0cdf3f68d496ea9344137e8b |
prot |
512 |
0.000000 |
| 85237257867935c227d2f2f39316b12a |
.rsrc |
106496 |
4.912524 |
| fb3216031225fdb1902888e247009d0c |
.reloc |
709120 |
5.476445 |
Packers/Compilers/Cryptors
| Microsoft Visual C++ 8.0 (DLL) |
Relationships
| 1b60a6d35c... |
Contained_Within |
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8 |
Description
This file is a 64-bit Windows executable contained within the Windows MSI Installer "Kupay.msi." When executed, "Kupay.exe" loads a legitimate looking cryptocurrency wallet application with no signs of malicious activity. This application appears to be a modification of the open source cryptocurrency wallet Copay, which is distributed by Atlanta based company BitPay. According to their website bitpay.com, “BitPay builds powerful, enterprise-grade tools for crypto acceptance and spending."
In addition to application appearance being similar, a DNS request for "bitpay.com" is always sent out immediately after a DNS request for "kupaywallet.com" and the company listed in the version information for Kupay is Bitpay.
Lastly, the GitHub “Commit Hash” listed in the Dorusio application “638b2b1” is to a branch of Copay found at hxxps[:]//github.com/flean/copay-1 (Figure 5).
Screenshots
Figure 3 - Screenshot of the Kupay Wallet application.
Figure 4 - Screenshot of the Bitpay site displaying the application.
Figure 5 - Copay GitHub branch matching Dorusio.
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d
Tags
trojan
Details
| Name |
KupayUpgrade.exe |
|---|
| Size |
115712 bytes |
|---|
| Type |
PE32+ executable (GUI) x86-64, for MS Windows |
|---|
| MD5 |
60c2efdafbffc5bd6709c8e461f7b77d |
|---|
| SHA1 |
dbddccba18422eea5d7bb1bdfe66ceee90446a45 |
|---|
| SHA256 |
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d |
|---|
| SHA512 |
5543d4e5872ef5b0f12ba180425d2ab94131c03f4fec7195f3a74d051d5a867ad580ea794a1af6c6bd16e4bc27337cc138fe71aab9600792bfd5da1a1d262162 |
|---|
| ssdeep |
3072:oHAqeXaeHx9pdpqw6IQIsMF6s3yvPxdOBU:kWXaeHxrvB6X9M33 |
|---|
| Entropy |
6.128091 |
|---|
Antivirus
| Ahnlab |
Trojan/Win64.FakeCoinTrader |
|---|
| ESET |
a variant of Win64/NukeSped.DE trojan |
|---|
| K7 |
Trojan ( 00569b451 ) |
|---|
| Zillya! |
Trojan.Generic.Win32.1058845 |
|---|
YARA Rules
No matches found.
ssdeep Matches
| 94 |
572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09 |
|---|
PE Metadata
| Compile Date |
2020-02-25 03:46:13-05:00 |
|---|
| Import Hash |
565005404f00b7def4499142ade5e3dd |
|---|
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
|---|
| 695567cdbccfbe54b19634abe3bb1e5b |
header |
1024 |
2.723717 |
| e35b1061d665602ed7e1c2d9de87f059 |
.text |
65536 |
6.456115 |
| 1578510ae509e46d8f3201edb3349d54 |
.rdata |
39936 |
5.084900 |
| dbf3b39f579f6cafbdf3960f0a87f5f9 |
.data |
2560 |
1.851526 |
| cb3735cf6fde4690ee7a6cd2026eb4de |
.pdata |
4096 |
4.957030 |
| 90e2eb1b90616d039eca5e2627ea1134 |
.gfids |
512 |
1.320519 |
| 3f1861d2a0b1dc2d1329c9d2b3353924 |
.reloc |
2048 |
4.762609 |
Packers/Compilers/Cryptors
| Microsoft Visual C++ 8.0 (DLL) |
Relationships
| fc1aafd2ed... |
Contained_Within |
6b945159b4c816ec5e212ba125eb01938234205d8d3e57fca46de7c064c628f8 |
Description
This file is a 64-bit Windows executable contained within the Windows MSI Installer "Kupay.msi." When executed, "KupayUpgrade.exe" first installs itself as a service, which will automatically start when any user logs on. The service is installed with a description stating “Automatic Kupay Upgrade."
On startup, "KupayUpgrade.exe" allocates memory in order to later write a file. After allocating the memory and storing the hard-coded string “Latest” in a variable, the program attempts to open a network connection. The connection is named “Kupay Wallet 9.0.1 (Check Update Windows)”, likely to avoid suspicion from a user.
Similarly to previous AppleJeus variants, "KupayUpgrade.exe "collects some basic information from the system as well as a timestamp, and places them in hard coded format strings. Specifically, the timestamp is placed into a format string “ver=%d×tamp=%lu” where ver is set as the 90001, possibly referring to the Kupay Wallet version previously mentioned (Figure 7).
This basic information and hard-coded strings are sent via a POST to the C2 kupaywallet.com/kupay_update.php. If the POST is successful (i.e. returns an HTTP response status code of 200) but fails any of multiple different checks, "KupayUpgrade.exe" will sleep for two minutes and then regenerate the timestamp and contact the C2 again.
After receiving the payload from the C2, the program writes the payload to memory and executes the payload.
The payload for the Windows malware could not be downloaded, as the C2 server "kupaywallet.com/kupay_update.php" was no longer accessible. In addition, the sample was not identified in open source reporting for this sample.
Screenshots
|
