{
	"id": "a850e8ba-2224-4aad-b9df-20da25bd0ce5",
	"created_at": "2026-04-10T03:20:42.864218Z",
	"updated_at": "2026-04-10T13:12:23.228033Z",
	"deleted_at": null,
	"sha1_hash": "2ea8abf1595de041b6386cc7beb1adba2508da6a",
	"title": "MAR-10322463-5.v1 - AppleJeus: CoinGoTrade | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98536,
	"plain_text": "MAR-10322463-5.v1 - AppleJeus: CoinGoTrade | CISA\r\nPublished: 2021-02-17 · Archived: 2026-04-10 02:43:18 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber\r\nthreat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and\r\nprovide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus\r\nGroup—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is\r\ntargeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the\r\ndissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of\r\ncryptocurrency.\r\nThis MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by\r\nthe North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see\r\nJoint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at\r\nhttps://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 1 of 15\n\nThere have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most\r\nversions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an\r\nunsuspecting individual downloads a third-party application from a website that appears legitimate.\r\nThe U.S. Government has identified AppleJeus malware version—CoinGoTrade—and associated IOCs used by the North\r\nKorean government in AppleJeus operations.\r\nCoinGoTrade discovered in October 2020, is a legitimate-looking cryptocurrency trading software that is marketed and\r\ndistributed by a company and website—CoinGoTrade and coingotrade[.]com, respectively—that appear legitimate. Some\r\ninformation has been redacted from this report to preserve victim anonymity.\r\nFor a downloadable copy of IOCs, see: MAR-10322463-5.v1.stix.\r\nSubmitted Files (7)\r\n326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd (CoinGoTradeUpgradeDaemon)\r\n[Redacted] (CoinGoTrade.msi)\r\n3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4 (CoinGoTrade.exe)\r\n527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18 (CoinGo_Trade)\r\n572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09 (CoinGoTradeUpdate.exe)\r\n5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 (prtspool)\r\n[Redacted] (CoinGoTrade.dmg)\r\nDomains (4)\r\nairbseeker.com\r\ncoingotrade.com\r\nglobalkeystroke.com\r\nwoodmate.it\r\nIPs (1)\r\n23.152.0.101\r\nFindings\r\n[Redacted]\r\nTags\r\ndropper\r\nDetails\r\nName CoinGoTrade.msi\r\nSize [Redacted] bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer,\r\nSecurity: 0, Code page: 1252, Number of Words: 2, Subject: CoinGoTrade, Author: CoinGoTrade, Name of\r\nCreating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer\r\ndatabase contains the logic and data required to install CoinGoTrade., Title: Installation Database,\r\nKeywords: Installer, MSI, Database, Number of Pages: 200\r\nMD5 [Redacted]\r\nSHA1 [Redacted]\r\nSHA256 [Redacted]\r\nSHA512 [Redacted]\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 2 of 15\n\nssdeep [Redacted]\r\nEntropy [Redacted]\r\nAntivirus\r\nAvira TR/NukeSped.lyfhd\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n[Redacted] Downloaded_By coingotrade.com\r\n[Redacted] Contains 3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\n[Redacted] Contains 572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\nDescription\r\nThis Windows program from the CoinGoTrade site is a Windows MSI Installer. The installer appears to be legitimate and\r\nwill install \"CoinGoTrade.exe\" (3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4) in the\r\n“C:\\Program Files (x86)\\CoinGoTrade” folder. It will also install \"CoinGoTradeUpdate.exe\"\r\n(572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09) in the “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\CoinGoTradeSupport” folder. Immediately after installation, the installer launches\r\n\"CoinGoTradeUpdate.exe.\" During installation, a \"CoinGoTrade\" folder containing the \"CoinGoTrade.exe\" application is\r\nadded to the start menu.\r\nScreenshots\r\nFigure 1 - Screenshot of \"CoinGoTrade\" installation.\r\ncoingotrade.com\r\nURLs\r\ncoingotrade.com/update_coingotrade.php\r\nhxxps[:]//coingotrade.com/download/[GUID]\r\nWhois\r\nWhois for coingotrade.com had the following information:\r\nRegistrar: NAMECHEAP INC\r\nCreation Date: 2020-02-28\r\nRegistrar Registration Expiration Date: 2021-02-28\r\nRelationships\r\ncoingotrade.com Downloaded [Redacted]\r\ncoingotrade.com Connected_From 572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\ncoingotrade.com Downloaded [Redacted]\r\nDescription\r\nThe domain \"coingotrade.com\" had a legitimately signed Sectigo Secure Sockets Layer (SSL) certificate, which was\r\n“Domain Control Validated,\" similar to the domain certificates for previous AppleJeus variants. Investigation revealed the\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 3 of 15\n\npoint of contact listed for verification was support[@]coingotrade.com. No other contact information was available as the\r\nadministrative or technical contact for the coingotrade.com domain.\r\nThe domain is registered with NameCheap at the IP address 198.54.114.175 with ASN 22612.\r\nInvestigation revealed the IP address 198.54.114.175 was hosted at NameCheap, but no records were available at the time of\r\nwriting.\r\nScreenshots\r\nFigure 2 - Screenshot of the \"CoinGoTrade\" website.\r\n3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\nTags\r\ntrojan\r\nDetails\r\nName CoinGoTrade.exe\r\nSize 166912 bytes\r\nType PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 88de31ad947927004ab56ab1e855fd64\r\nSHA1 1d1f9f3ee8329c3f3033222a46c7a311f259a359\r\nSHA256 3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\nSHA512 6e8391afc19ddfb841b79cc9b697fcd162d3a94a79976d3525476475d6fbe684ce9f2ba3a433cd725a51a71f6f74635a109914ff14252fac7e\r\nssdeep 3072:ssXh1ExFDi8z4C3Ssi5jCxe7IDYQFNY7BGMDK49eQ:sZRul5rLK4s\r\nEntropy 4.402659\r\nAntivirus\r\nAhnlab Trojan/Win32.FakeCoinTrader\r\nBitDefender Gen:Variant.MSILHeracles.2293\r\nESET a variant of MSIL/Agent.TYJ trojan\r\nEmsisoft Gen:Variant.MSILHeracles.2293 (B)\r\nLavasoft Gen:Variant.MSILHeracles.2293\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-03-17 04:55:13-04:00\r\nImport Hash f34d5f2d4577ed6d9ceec516c1f5a744\r\nFile Description CryptoMex\r\nInternal Name CoinGoTrade.exe\r\nLegal Copyright Copyright © 2020\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 4 of 15\n\nOriginal Filename CoinGoTrade.exe\r\nProduct Name CryptoMex\r\nProduct Version 1.0.0.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nebb11bbea122a2fc761dff1d05defdb0 header 512 2.714333\r\nb0d3ef9b5a227d092cf27c40c028d82d .text 40960 4.785436\r\n35d28033f1f2359f265d8f406fc2c620 .rsrc 124928 4.154855\r\n9d7ce3b9440143a341b9232fc0cb38ce .reloc 512 0.081539\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C# v7.0 / Basic .NET\r\nRelationships\r\n3e5442440a... Contained_Within [Redacted]\r\n3e5442440a... Connected_To 23.152.0.101\r\nDescription\r\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer \"CoinGoTrade.msi.\" When executed,\r\n\"CoinGoTrade.exe\" loads a legitimate looking cryptocurrency wallet application with no signs of malicious activity. The\r\nstrings for \"CoinGoTrade.exe\" contain the command and control (C2) \"hxxp[:]//23.152.0.101:8080/ which was also\r\nidentified in the MacOS CoinGo_Trade (527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18) and\r\nthe Kupay Wallet Stage 2 from AppleJeus version 4. In addition, a build path is present in the strings\r\n“U:\\work\\CryptoMex\\teobot\\teobot\\obj\\Release\\CoinGoTrade.pdb\" and the file properties description also states\r\n“CryptoMex.\" CryptoMex is likely an open source cryptocurrency application which was copied in order to create this\r\napplication.\r\nScreenshots\r\nFigure 3 - Screenshot of \"CryptoMex\" listed in CoinGoTrade.exe\" properties.\r\n23.152.0.101\r\nTags\r\ncommand-and-control\r\nPorts\r\n8080 TCP\r\nWhois\r\nQueried whois.arin.net with \"n 23.152.0.101\"...\r\nNetRange:     23.152.0.0 - 23.152.0.255\r\nCIDR:         23.152.0.0/24\r\nNetName:        CROWNCLOUD-V6V4\r\nNetHandle:     NET-23-152-0-0-1\r\nParent:         NET23 (NET-23-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS8100\r\nOrganization: Crowncloud US LLC (CUL-34)\r\nRegDate:        2015-11-23\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 5 of 15\n\nUpdated:        2015-11-23\r\nComment:        IPs in this block are statically assigned, please report any abuse to admin@crowncloud.us\r\nRef:            https://rdap.arin.net/registry/ip/23.152.0.0\r\nOrgName:        Crowncloud US LLC\r\nOrgId:         CUL-34\r\nAddress:        530 W 6th St\r\nAddress:        C/O Cid 4573 Quadranet Inc. Ste 901\r\nCity:         Los Angeles\r\nStateProv:     CA\r\nPostalCode:     90014-1207\r\nCountry:        US\r\nRegDate:        2014-07-25\r\nUpdated:        2017-10-10\r\nRef:            https://rdap.arin.net/registry/entity/CUL-34\r\nOrgTechHandle: CROWN9-ARIN\r\nOrgTechName: Crowncloud Support\r\nOrgTechPhone: +1-940-867-4072\r\nOrgTechEmail: admin@crowncloud.us\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN\r\nOrgAbuseHandle: CROWN9-ARIN\r\nOrgAbuseName: Crowncloud Support\r\nOrgAbusePhone: +1-940-867-4072\r\nOrgAbuseEmail: admin@crowncloud.us\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN\r\nRelationships\r\n23.152.0.101 Connected_From 3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\n23.152.0.101 Connected_From 527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\nDescription\r\nThis IP address is the C2 for \"CoinGoTrade.exe\" and \"CoinGo_Trade.\"\r\n572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\nTags\r\ntrojan\r\nDetails\r\nName CoinGoTradeUpdate.exe\r\nSize 115712 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 149a696472d4a189f5896336ab16cc34\r\nSHA1 decb43141699e43a1d27dc2db063e0020f9f33aa\r\nSHA256 572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\nSHA512 32081f04a1b4a9540aad81a2a20c00c81ade40624dd446babebeb7230bb84025ba59516fab1388aad3fbf6842811ef2d8d6f0978950442c32\r\nssdeep 3072:FHAqeXaeHx9pdpqw6IQIsMF6s3yv7pHOBo:FWXaeHxrvB6X9M33\r\nEntropy 6.128250\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 6 of 15\n\nAhnlab Trojan/Win64.FakeCoinTrader\r\nAvira TR/NukeSped.ooibk\r\nESET a variant of Win64/NukeSped.CR trojan\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 00567f291 )\r\nSymantec Trojan.Gen.2\r\nTACHYON Trojan/W64.APosT.115712\r\nZillya! Trojan.APosT.Win32.1433\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\n94 fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d\r\nPE Metadata\r\nCompile Date 2020-03-17 21:02:52-04:00\r\nImport Hash 565005404f00b7def4499142ade5e3dd\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd959d6ecb853f993046f81f109f7a5a9 header 1024 2.714314\r\ne350351a05606da16418a7f01436cd7d .text 65536 6.455927\r\n5889779ac56e5fa9aa8123921d9ba943 .rdata 39936 5.084443\r\ndbf3b39f579f6cafbdf3960f0a87f5f9 .data 2560 1.851526\r\n9b5c53415d33ef775d744a48f71fcd18 .pdata 4096 4.957426\r\n90e2eb1b90616d039eca5e2627ea1134 .gfids 512 1.320519\r\n3f1861d2a0b1dc2d1329c9d2b3353924 .reloc 2048 4.762609\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n572a124f56... Contained_Within [Redacted]\r\n572a124f56... Connected_To coingotrade.com\r\nDescription\r\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer \"CoinGoTrade.msi.\" When executed,\r\nCoinGoTradeUpdate.exe will installs itself as a service, which will automatically start when any user logs on. The service is\r\ninstalled with the description of “Automatic CoinGoTrade Upgrade.\"\r\nAfter installing the service, \"CoinGoTradeUpdate.exe\" has similar behavior to the updater component for AppleJeus version\r\n4 \"Kupay Wallet.\" On startup \"CoinGoUpdate.exe\" allocates memory to write a file. After allocating the memory and storing\r\nthe hard-coded string “Latest” in a variable, the program attempts to open a network connection. The connection is named\r\n\"CoinGoTrade 1.0 (Check Update Windows),\" which is likely to avoid suspicion from a user.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 7 of 15\n\nSimilarly, to previous AppleJeus variants, \"CoinGoTradeUpdate.exe\" collects some basic information from the system as\r\nwell as a timestamp, and places the collected information in hard-coded format strings. Specifically, the timestamp is placed\r\ninto a format string “ver=%d\u0026timestamp=%lu” where \"ver\" is set as the 1000, possibly referring to the CoinGoTrade\r\nversion previously mentioned. This basic information and hard-coded strings are sent via a POST to the C2\r\n\"coingotrade.com/update_coingotrade.php.\" If the POST is successful (i.e. returns an HTTP response status code of 200) but\r\nfails any of multiple different checks, \"CoinGoTradeUpdate.exe\" will sleep for two minutes and then regenerate the\r\ntimestamp and contact the C2 again.\r\nAfter receiving the payload from the C2, the program writes the payload to memory and executes the payload.\r\nThe payload for the Windows malware could not be downloaded, as the C2 server\r\n\"coingotrade.com/coingotrade_update.php\" was no longer accessible. In addition, the sample was not identified in open\r\nsource reporting for this sample. The Windows payload is likely similar in functionality to \"prtspool\"\r\n(5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8) the OSX stage 2 sample.\r\nScreenshots\r\nFigure 4 - Screenshot of the format string and version.\r\n[Redacted]\r\nTags\r\ndroppertrojan\r\nDetails\r\nName CoinGoTrade.dmg\r\nSize [Redacted] bytes\r\nType zlib compressed data\r\nMD5 [Redacted]\r\nSHA1 [Redacted]\r\nSHA256 [Redacted]\r\nSHA512 [Redacted]\r\nssdeep [Redacted]\r\nEntropy [Redacted]\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n[Redacted] Downloaded_By coingotrade.com\r\n[Redacted] Contains 527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\n[Redacted] Contains 326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 8 of 15\n\nThis OSX program from the CoinGoTrade site is an Apple DMG installer. The installer was hosted at\r\nhxxps[:]//coingotrade.com/[GUID]. The [GUID] is a unique file that is crafted for a specific victim and is being withheld to\r\npreserve the identity of the intended recipient. The OSX program is an Apple DMG installer with the file name\r\nCoinGoTrade.dmg.\r\nThe OSX program does not have a digital signature and will warn the user of that before installation. As all previous\r\nversions of AppleJeus, the CoinGoTrade installer appears to be legitimate and installs both “CoinGo_Trade”\r\n(527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18) in the\r\n“/Applications/CoinGoTrade.app/Contents/MacOS/” folder and a program named \"CoinGoTradeUpgradeDaemon\"\r\n(326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd) also in the\r\n“/Applications/CoinGoTrade.app/Contents/MacOS/” folder. The installer contains a postinstall script (Figure 5).\r\nThe postinstall script is identical in functionality to the postinstall scripts from previous AppleJeus variants and is identical\r\nto the AppleJeus variant 4 \"Kupay\" postinstall script without the \"launchctl\" command. The postinstall script creates a\r\n“CoinGoTradeService” folder in the OSX “/Library/Application Support” folder and moves\r\n\"CoinGoTradeUpgradeDaemon\" to it. The “Application Support” folder contains both system and third-party support files\r\nwhich are necessary for program operation. Typically, the subfolders have names matching those of the actual applications.\r\nAt installation, CoinGoTrade placed the plist file (com.coingotrade.pkg.product.plist) in “/Library/LaunchDaemons/.\"\r\nAs the LaunchDaemon will not be run immediately after the plist file is moved, the postinstall script then launches the\r\n\"CoinGoTradeUpgradeDaemon\" program in the background.\r\nScreenshots\r\nFigure 5 - Screenshot of the postinstall script.\r\nFigure 6 - Screenshot of \"com.coingotrade.pkg.product.plist.\"\r\n527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\nTags\r\ntrojan\r\nDetails\r\nName CoinGo_Trade\r\nSize 49536 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|PIE\u003e\r\nMD5 7a73178c682d1a61b2f1c61ae558b608\r\nSHA1 358f4c8575c82f45340886f282d41ca0560cfa6e\r\nSHA256 527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\nSHA512 bb044103c9d2abd04b06a7bae31215302e8310ef5e815ee15025b430b9ea230c7246c96769b2f03a614e1d196ab9bbdf9d3b49980d1b282f\r\nssdeep 384:O6XCYcjaTtLXN8KzIBAsyDfpBkSp6nHYYAZvamQ5nT:O6XZnRNnzICsyuHYrBxgn\r\nEntropy 3.472034\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 9 of 15\n\n527792dfab... Contained_Within [Redacted]\r\n527792dfab... Connected_To 23.152.0.101\r\nDescription\r\nThis OSX sample was contained within Apple DMG installer \"CoinGoTrade.dmg.\" \"CoinGo _Trade\" is likely a copy of an\r\nopen source cryptocurrency application. The strings for \"CoinGo_Trade\" contain the C2 hxxp[:]//23.152.0.101:8080, which\r\nis also found in the Windows CoinGoTrade.exe\r\n(3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4) and the Kupay Wallet Stage 2 from AppleJeus\r\nversion 4.\r\n326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName CoinGoTradeUpgradeDaemon\r\nSize 33312 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|PIE\u003e\r\nMD5 0d195513534855e613bd7a29243565ab\r\nSHA1 80923c208c2c821ed99e1ed8f50bd549598a210c\r\nSHA256 326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd\r\nSHA512 d4c822252c03523a3e37edf314caa5142be230e2c34e3f5b648a944b88632e6e74af41bc9c8661c608fdff19822c590f6f98d41dc524385be3\r\nssdeep 192:fWkPKt21UIIymPTTDO/kqMd+K2uk6aLc4eL:fWIogUKmPTT8\r\nEntropy 1.690330\r\nAntivirus\r\nAhnlab Trojan/OSX64.FakeCoinTrader.33313\r\nAntiy Trojan/Mac.NukeSped\r\nAvira OSX/NukeSped.ifaaj\r\nBitDefender Gen:Variant.Trojan.MAC.Lazarus.4\r\nClamAV Osx.Malware.Agent-8010705-0\r\nESET a variant of OSX/NukeSped.F trojan\r\nEmsisoft Gen:Variant.Trojan.MAC.Lazarus.4 (B)\r\nIkarus Trojan.OSX.Nukesped\r\nLavasoft Gen:Variant.Trojan.MAC.Lazarus.4\r\nMcAfee OSX/Lazarus.c\r\nMicrosoft Security Essentials Trojan:MacOS/NukeSped.D!MTB\r\nQuick Heal Mac.Backdoor.38173.GC\r\nSophos OSX/NukeSped-AG\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro TROJ_FR.84D8D3BE\r\nTrendMicro House Call TROJ_FR.84D8D3BE\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 10 of 15\n\nZillya! Trojan.NukeSped.OSX.7\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n326d7836d5... Contained_Within [Redacted]\r\nDescription\r\nThis OSX sample was contained within Apple DMG installer \"CoinGoTrade.dmg.\" \"CoinGoTradeUpgradeDaemon\" is\r\nsimilar to \"kupay_upgrade\" from AppleJeus version 4. When executed, \"CoinGoTradeUpgradeDaemon\" will immediately\r\nsleep for five seconds and then test to see if the hard-coded value stored in “isReady” is a 0 or a 1. If it is a 0, the program\r\nsleeps again and if it is a 1, the function “CheckUpdate” is called. This function contains most of the logic functionality of\r\nthe malware. \"CheckUpdate\" sends a POST to the C2 hxxps[:]//coingotrade.com/update_coingotrade.php with a connection\r\nnamed “CoinGoTrade 1.0 (Check Update Osx).\r\nIf the C2 server returns a file, it is decoded and written to “/private/tmp/updatecoingotrade” and the permissions are set with\r\nthe command \"chmod\" 700 (only the user can read, write, and execute). The stage 2 malware\r\n(/private/tmp/updatecoingotrade) is then launched and the malware \"CoinGoTradeUpgradeDaemon\" returns to sleeping and\r\nchecking in with the C2 server.\r\nThe stage 2 payload for CoinGoTrade was no longer available from the specified download URL, however, there was a file\r\n\"prtspool\" (5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8) submitted to VirusTotal by the\r\nsame user on the same date as \"CoinGoTradeUpgradeDaemon.\" This suggests the submitted file may be related to the OSX\r\nmalware and could be the downloaded payload. Analysis by Crowdstrike showed the file has the same encryption algorithm\r\nand initial key values as a Lazarus Group implant known as HOPLIGHT or MANUSCRYPT.\r\nScreenshots\r\nFigure 7 - Screenshot of the C2 loaded into variable.\r\nFigure 8 - Screenshot of the format string.\r\n5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName prtspool\r\nSize 57376 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE\u003e\r\nMD5 451c23709ecd5a8461ad060f6346930c\r\nSHA1 58b0516d28bd7218b1908fb266b8fe7582e22a5f\r\nSHA256 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nSHA512 80961db270b9f15cff4b0443be79b253e0f98304990fceda03cd2b25393b0e483eacc553e7b33d20da23e3317fafc7b41f93c4a9da863b99c8\r\nssdeep 768:qQS5bSXXUkVSpVM0ZJflKprXYgICxdAvV/hQJx62:gbGkjZ7KbICY/hQJx6\r\nEntropy 4.259743\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 11 of 15\n\nAntiy Trojan[Backdoor]/OSX.NukeSped\r\nAvira OSX/NukeSped.vhsxo\r\nBitDefender Trojan.MAC.Generic.12195\r\nClamAV Osx.Malware.Agent-8019494-0\r\nESET a variant of OSX/NukeSped.E trojan\r\nEmsisoft Trojan.MAC.Generic.12195 (B)\r\nIkarus Trojan.OSX.Nukesped\r\nLavasoft Trojan.MAC.Generic.12195\r\nMcAfee OSX/Nukesped.e\r\nQuick Heal Mac.Backdoor.38173.GC\r\nSophos OSX/NukeSped-AF\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro TROJ_FR.84D8D3BE\r\nTrendMicro House Call TROJ_FR.84D8D3BE\r\nZillya! Trojan.NukeSped.OSX.14\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n5e40d10697... Connected_To airbseeker.com\r\n5e40d10697... Connected_To globalkeystroke.com\r\n5e40d10697... Connected_To woodmate.it\r\nDescription\r\nThis file is a OSX samples that was likely the payload for the sample \"CoinGoTradeUpgradeDaemon.\"This file \"prtspool\" is\r\na 64-bit MACHO executable with the following capabilities:\r\n--Begin capabilities--\r\nPerform a heart-beat check in with the current C2\r\nSleep for the specified number of minutes\r\nEnsure a copy of the current configuration data is written to the file on disk\r\nDelete the configuration file and exit the implant.\r\nUpload the current in memory configuration data.\r\nDownload a new configuration, overwrite the current in memory configuration and write the data to the file\r\n/private/etc/krb5d.conf\r\nPerform a secure delete or file wipe the specified file by overwriting it with all zeros before deleting it from the system.\r\nDownload a file from the C2 and write it to the specified path.\r\nUpload a file from the specified file to the C2 server.\r\nExecute the specified command on the OS shell, pipe the output to a temporary file, and upload it to the C2.\r\nExecute the specified process.\r\nList the files and directories in the specified path.\r\nPerform a TCP connection to the specified IP address and port and report the status back to the C2.\r\nSet the current working directory to the specified path.\r\n--End capabilities--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 12 of 15\n\nThe file has three C2 URLs hard-coded into the file. In communicating with these servers, the file uses an HTTP POST with\r\nmultipart-form data boundary string \"--N9dLfqxHNUUw8qaUPqggVTpX.\" Similar to other Lazarus malware, \"prtspool\"\r\nuses format strings to store data collected about the system and sends it to the C2s.\r\n--Begin C2 URLs--\r\nhxxps[:]//airbseeker.com/rediret.php\r\nhxxps[:]//globalkeystroke.com/pockbackx.php\r\nhxxps[:]//www[.]woodmate.it/administrator/help/en-GB/bins/tags/taghelper.php.\r\n--End C2 URLs--\r\nairbseeker.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nhxxps[:]//airbseeker.com/rediret.php\r\nWhois\r\nWhois for airbseeker.com had the following information:\r\nRegistrar: NAMECHEAP INC\r\nCreated: 2020-03-03\r\nExpires: 2021-03-03\r\nRelationships\r\nairbseeker.com Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nDescription\r\nThe domain \"airbseeker.com\" has a legitimately signed Sectigo SSL certificate, which was “Domain Control Validated.\" The\r\ndomain was at the IP address 68.65.122.160 with ASN 22612.\r\nglobalkeystroke.com\r\nTags\r\ncommand-and-control\r\nWhois\r\nWhois for globalkeystroke.com had the following information:\r\nRegistrar: NAMECHEAP INC\r\nCreated: 2019-11-11\r\nExpires: 2020-11-11\r\nRelationships\r\nglobalkeystroke.com Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nDescription\r\nThe domain \"globalkeystroke.com\" has a legitimately signed Sectigo SSL certificate, which was “Domain Control\r\nValidated.\" Investigation revealed the point of contact listed for verification was admin[@]globalkeystroke.com. No other\r\ncontact information was available as the administrative or technical contact for the globalkeystroke.com domain.\r\nThe domain is registered with NameCheap at the IP address 68.65.122.160 with ASN 22612. The IP address of\r\n185.228.83.129 belongs to Access2.it Group B.v. ISP of the Netherlands. Whois information for the IP revealed the network\r\nname as belonging to CrownCloud of Australia.\r\nOn October 11, 2019, the IP address 185.228.83.129 was hosting the domain dev.jmttrading.org according to PassiveDNS.\r\nJMT Trading was the second variant of the AppleJeus malware.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 13 of 15\n\nwoodmate.it\r\nTags\r\ncommand-and-control\r\nWhois\r\nWhois for woodmate.it had the following information:\r\nRegistrar: REGISTRYGATE GMBH\r\nCreated: 2014-05-07\r\nExpires: 2020-05-07\r\nRelationships\r\nwoodmate.it Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nDescription\r\nThe domain \"woodmate.it\" has a legitimately signed Let’s Encrypt certificate. Let’s Encrypt is a nonprofit Certificate\r\nAuthority which provides free and automated TLS/SSL certificates for anyone running their software. They do not perform\r\nany identity validation.\r\nThe domain is registered with RegistryGate GMBH of Germany at the IP address 85.13.146.113 with ASN 34788.\r\nThe IP address 85.13.146.113 is hosted by Neue Medien Muennich Gmbh of Germany.\r\nRelationship Summary\r\n[Redacted] Downloaded_By coingotrade.com\r\n[Redacted] Contains 3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\n[Redacted] Contains 572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\ncoingotrade.com Downloaded [Redacted]\r\ncoingotrade.com Connected_From 572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09\r\ncoingotrade.com Downloaded [Redacted]\r\n3e5442440a... Contained_Within [Redacted]\r\n3e5442440a... Connected_To 23.152.0.101\r\n23.152.0.101 Connected_From 3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4\r\n23.152.0.101 Connected_From 527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\n572a124f56... Contained_Within [Redacted]\r\n572a124f56... Connected_To coingotrade.com\r\n[Redacted] Downloaded_By coingotrade.com\r\n[Redacted] Contains 527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18\r\n[Redacted] Contains 326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd\r\n527792dfab... Contained_Within [Redacted]\r\n527792dfab... Connected_To 23.152.0.101\r\n326d7836d5... Contained_Within [Redacted]\r\n5e40d10697... Connected_To airbseeker.com\r\n5e40d10697... Connected_To globalkeystroke.com\r\n5e40d10697... Connected_To woodmate.it\r\nairbseeker.com Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 14 of 15\n\nglobalkeystroke.com Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nwoodmate.it Connected_From 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e"
	],
	"report_names": [
		"ar21-048e"
	],
	"threat_actors": [],
	"ts_created_at": 1775791242,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ea8abf1595de041b6386cc7beb1adba2508da6a.pdf",
		"text": "https://archive.orkl.eu/2ea8abf1595de041b6386cc7beb1adba2508da6a.txt",
		"img": "https://archive.orkl.eu/2ea8abf1595de041b6386cc7beb1adba2508da6a.jpg"
	}
}