Alert on AppleJeus Cryptocurrency Malware

Published on 18 Feb 2021

Updated on 18 Feb 2021

The Federal Bureau of Investigation (FBI), the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the U.S. Department of the Treasury have just issued a joint advisory on state-sponsored advanced persistent threat (APT) actors targeting individuals and organisations, including cryptocurrency exchanges, through the dissemination of seemingly legitimate cryptocurrency trading applications. These applications have been modified to include a payload that enables threat actors to gain full access to the users’ device or organisations’ network(s) and facilitate the theft of cryptocurrencies. The malware used by these APT actors is referred to as “AppleJeus”.

AppleJeus malware was first discovered in 2018. Since January 2020, the APT actors have targeted organisations with the AppleJeus malware in many countries, including Singapore. There are currently seven known versions of the AppleJeus malware, with the latest version identified as “Ants2Whale” in late 2020.

We advise organisations and users who use or provide cryptocurrency services to be vigilant and adopt the following best practices to defend against the AppleJeus malware and related malicious activities:

For Organisations

Organisations are advised take the following steps to protect and detect any AppleJeus malware in their network(s):

  • Ensure all software is up to date and all security patches have been applied
  • Ensure network-based firewall is installed and updated
  • Ensure firewall’s firmware is updated
  • Install Anti-Virus (AV) software to run daily deep scans of the host. Ensure that the AV software is set up to download the latest signatures daily in order to detect the latest AppleJeus malware versions
  • Install a Host Based Intrusion Detection (HIDS) software and keep it updated to detect the latest indicators of compromise (IOCs) attributable to AppleJeus malware versions
  • Specifically, cryptocurrency platform providers should also verify their compliance with the Cryptocurrency Security Standard at https://cryptoconsortium.github.io/CCSS

Organisations that detected AppleJeus malware in their network(s) are advised to take the following remediation measures immediately:

  • Isolate impacted host(s) from their network(s)
  • Change all passwords to any accounts associated with impacted host(s) and enable two factor authentication (2FA), if available
  • Restore impacted host(s) from previous uninfected backups
  • Generate new keys for cryptocurrency wallets and/or move to new wallets
  • Use hardware cryptocurrency wallets which keep the private keys in a separate and secured storage area

For Cryptocurrency Users

  • Exercise caution and verify the source before clicking on links or downloading cryptocurrency-related applications, especially from unsolicited messages and emails 
  • Download applications from official websites and sources and perform an antivirus scan on downloaded software before executing them
  • Consider using multiple wallets for key storage
  • Use custodial accounts with multi-factor authentication (MFA) mechanisms for both user and device verification
  • Patronise cryptocurrency service businesses that offer indemnity protection for lost or stolen cryptocurrencies
  • Consider having a dedicated device for cryptocurrency management

References:

https://us-cert.cisa.gov/ncas/alerts/aa21-048a