Malware Analysis Report
10322463.r4.v1
2021-02-12
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.
This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.
There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.
The U.S. Government has identified AppleJeus malware version—Kupay Wallet—and associated IOCs used by the North Korean government in AppleJeus operations.
Kupay Wallet, discovered in March 2020, is a legitimate-looking cryptocurrency trading software that is marketed and distributed by a company and website—Kupay Service and kupaywallet[.]com, respectively—that appear legitimate. Some information has been redacted from this report to preserve victim anonymity.
For a downloadable copy of IOCs, see: MAR-10322463-4.v1.stix.
Submitted Files (7)
0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba (kupay_upgrade)
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 (Kupay.exe)
[Redacted] (Kupay.dmg)
[Redacted] (Kupay.msi)
91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd (kupayupdate_stage2)
a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492 (kupay)
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d (KupayUpgrade.exe)
Domains (2)
kupaywallet.com
levelframeblog.com
Findings
[Redacted]
Tags
dropper
Details
| Name |
Kupay.msi |
|---|
| Size |
[Redacted] bytes |
|---|
| Type |
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Number of Words: 2, Subject: Kupay, Author: Kupay Service, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install Kupay., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
|---|
| MD5 |
[Redacted] |
|---|
| SHA1 |
[Redacted] |
|---|
| SHA256 |
[Redacted] |
|---|
| SHA512 |
[Redacted] |
|---|
| ssdeep |
[Redacted] |
|---|
| Entropy |
[Redacted] |
|---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
| [Redacted] |
Contains |
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 |
| [Redacted] |
Contains |
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d |
| [Redacted] |
Downloaded_By |
kupaywallet.com |
Description
This Windows program from the Kupay Service site is a Windows MSI Installer with the file name Kupay[GUID].msi. The installer was hosted at hxxps[:]kupaywallet.com/product/[GUID]. The [GUID] is a unique file that is crated for a specific victim and is being withheld to preserve the identity of the intended recipient.
The installer looks legitimate and will install the "Kupay.exe" (1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6) file in the “C:\Program Files (x86)\Kupay” folder. It also installs "KupayUpgrade.exe" (fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d) in the “C:\Users\<username>\AppData\Roaming\KupaySupport” folder. Immediately after installation, the installer launches the "KupayUpgrade.exe" binary.
Screenshots
Figure 1 - Screenshot of "Kupay.msi" installation.
kupaywallet.com
Tags
command-and-control
URLs
- kupaywallet.com/kupay_update.php
- kupaywallet.com/product/
Whois
Whois for kupaywallet.com had the following information:
Registrar: NAMECHEAP INC
Creation Date: 2020-02-21
Registrar Registration Expiration Date: 2021-02-21
Relationships
| kupaywallet.com |
Downloaded |
[Redacted] |
| kupaywallet.com |
Downloaded |
[Redacted] |
| kupaywallet.com |
Connected_From |
0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba |
Description
The domain kupaywallet.com had a legitimately signed Sectigo Secure Sockets Layer (SSL) certificate, which was “Domain Control Validated” just as all previous AppleJeus domain certificates. Investigation revealed the point of contact listed for verification was admin[@]kupaywallet.com. No other contact information was available as the administrative or technical contact for the kupaywallet.com domain.
The domain is registered with NameCheap at the IP address 104.200.67.96 with ASN 8100.
In addition to the site kupaywallet.com, a Twitter account @kupayservice is associated with the company. This account tweets out general cryptocurrency articles and information and replies to various related tweets. The first tweet was on May 23, 2019, while the last was on July 11, 2019. Twitter lists the joined date for @kupayservice to be October 2018.
Screenshots
Figure 2 - Screenshot of KupayService Twitter account.
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6
Tags
trojan
Details
| Name |
Kupay.exe |
|---|
| Size |
97686016 bytes |
|---|
| Type |
PE32+ executable (GUI) x86-64, for MS Windows |
|---|
| MD5 |
668d696582f9c00029e2e8253470e9db |
|---|
| SHA1 |
e83ebe43da7bbfb9c95d34163383d1b3926e663f |
|---|
| SHA256 |
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 |
|---|
| SHA512 |
0b370636ea2b7211d691a3bfcfc9017cb12df6874becb9b6334ca735bc325f59c50e99fc3b57c8db2d265e0c631651c7280109ffdbb3b48b7d3709d908228de6 |
|---|
| ssdeep |
1572864:MdJvugr82jf19dUM/1T8+1VJRukUhkmG:Mdhg6Pm |
|---|
| Entropy |
6.674838 |
|---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
| 97 |
78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f |
|---|
PE Metadata
| Compile Date |
2019-12-16 00:00:00-05:00 |
|---|
| Import Hash |
bb1d46df79ee2045d0bc2529cf6c7458 |
|---|
| Company Name |
BitPay |
|---|
| File Description |
Kupay |
|---|
| Internal Name |
Kupay |
|---|
| Legal Copyright |
Copyright © 2020 BitPay |
|---|
| Product Name |
Kupay |
|---|
| Product Version |
9.1.0.0 |
|---|
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
|---|
| 32b731864b0ff3d1c427c97d582e7897 |
header |
1024 |
2.990247 |
| 36430f041d87935dcb34adde2e7d625d |
.text |
78234112 |
6.471421 |
| ee7e02e8e2958ff79f25c8fd8b7d33e5 |
.rdata |
15596032 |
6.376243 |
| 65c59271f5c2bab26a7d0838e9f04bcf |
.data |
262144 |
3.484705 |
| 00406f1d9355757d80cbf48242fdf344 |
.pdata |
2768896 |
6.805097 |
| 6a6a225bfe091e65d3f82654179fbc50 |
.00cfg |
512 |
0.195869 |
| 786f587a97128c401be15c90fe059b72 |
.rodata |
6144 |
4.219562 |
| 9efa43af7b1faae15ffbd428d0485819 |
.tls |
512 |
0.136464 |
| 60d3ea61d541c9be2e845d2787fb9574 |
CPADinfo |
512 |
0.122276 |
| bf619eac0cdf3f68d496ea9344137e8b |
prot |
512 |
0.000000 |
| 85237257867935c227d2f2f39316b12a |
.rsrc |
106496 |
4.912524 |
| fb3216031225fdb1902888e247009d0c |
.reloc |
709120 |
5.476445 |
Packers/Compilers/Cryptors
| Microsoft Visual C++ 8.0 (DLL) |
Relationships
| 1b60a6d35c... |
Contained_Within |
[Redacted] |
Description
This file is a 64-bit Windows executable contained within the Windows MSI Installer "Kupay.msi." When executed, "Kupay.exe" loads a legitimate looking cryptocurrency wallet application with no signs of malicious activity. This application appears to be a modification of the open source cryptocurrency wallet Copay, which is distributed by Atlanta based company BitPay. According to their website bitpay.com, “BitPay builds powerful, enterprise-grade tools for crypto acceptance and spending."
In addition to application appearance being similar, a DNS request for "bitpay.com" is always sent out immediately after a DNS request for "kupaywallet.com" and the company listed in the version information for Kupay is Bitpay.
Lastly, the GitHub “Commit Hash” listed in the Dorusio application “638b2b1” is to a branch of Copay found at hxxps[:]//github.com/flean/copay-1 (Figure 5).
Screenshots
Figure 3 - Screenshot of the Kupay Wallet application.
Figure 4 - Screenshot of the Bitpay site displaying the application.
Figure 5 - Copay GitHub branch matching Dorusio.
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d
Tags
trojan
Details
| Name |
KupayUpgrade.exe |
|---|
| Size |
115712 bytes |
|---|
| Type |
PE32+ executable (GUI) x86-64, for MS Windows |
|---|
| MD5 |
60c2efdafbffc5bd6709c8e461f7b77d |
|---|
| SHA1 |
dbddccba18422eea5d7bb1bdfe66ceee90446a45 |
|---|
| SHA256 |
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d |
|---|
| SHA512 |
5543d4e5872ef5b0f12ba180425d2ab94131c03f4fec7195f3a74d051d5a867ad580ea794a1af6c6bd16e4bc27337cc138fe71aab9600792bfd5da1a1d262162 |
|---|
| ssdeep |
3072:oHAqeXaeHx9pdpqw6IQIsMF6s3yvPxdOBU:kWXaeHxrvB6X9M33 |
|---|
| Entropy |
6.128091 |
|---|
Antivirus
| Ahnlab |
Trojan/Win64.FakeCoinTrader |
|---|
| ESET |
a variant of Win64/NukeSped.DE trojan |
|---|
| K7 |
Trojan ( 00569b451 ) |
|---|
| Zillya! |
Trojan.Generic.Win32.1058845 |
|---|
YARA Rules
No matches found.
ssdeep Matches
| 94 |
572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09 |
|---|
PE Metadata
| Compile Date |
2020-02-25 03:46:13-05:00 |
|---|
| Import Hash |
565005404f00b7def4499142ade5e3dd |
|---|
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
|---|
| 695567cdbccfbe54b19634abe3bb1e5b |
header |
1024 |
2.723717 |
| e35b1061d665602ed7e1c2d9de87f059 |
.text |
65536 |
6.456115 |
| 1578510ae509e46d8f3201edb3349d54 |
.rdata |
39936 |
5.084900 |
| dbf3b39f579f6cafbdf3960f0a87f5f9 |
.data |
2560 |
1.851526 |
| cb3735cf6fde4690ee7a6cd2026eb4de |
.pdata |
4096 |
4.957030 |
| 90e2eb1b90616d039eca5e2627ea1134 |
.gfids |
512 |
1.320519 |
| 3f1861d2a0b1dc2d1329c9d2b3353924 |
.reloc |
2048 |
4.762609 |
Packers/Compilers/Cryptors
| Microsoft Visual C++ 8.0 (DLL) |
Relationships
| fc1aafd2ed... |
Contained_Within |
[Redacted] |
|
