{ "id": "695f9322-9033-44f0-83a7-5ff20e6a6475", "created_at": "2026-04-06T00:14:56.309609Z", "updated_at": "2026-04-10T03:38:19.923962Z", "deleted_at": null, "sha1_hash": "a34a18dc09b178cf315c2e34384beabbf5703421", "title": "MAR-10322463-3.v1 - AppleJeus: Union Crypto | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111802, "plain_text": "MAR-10322463-3.v1 - AppleJeus: Union Crypto | CISA\r\nPublished: 2021-02-17 · Archived: 2026-04-05 22:35:46 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber\r\nthreat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and\r\nprovide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus\r\nGroup—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is\r\ntargeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the\r\ndissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of\r\ncryptocurrency.\r\nThis MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by\r\nthe North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see\r\nJoint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at\r\nhttps://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 1 of 18\n\nThere have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most\r\nversions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an\r\nunsuspecting individual downloads a third-party application from a website that appears legitimate.\r\nThe U.S. Government has identified AppleJeus malware version—Union Crypto—and associated IOCs used by the North\r\nKorean government in AppleJeus operations.\r\nUnion Crypto, discovered by a cybersecurity company in December 2019, is a legitimate-looking cryptocurrency trading\r\nsoftware that is marketed and distributed by a company and website—Union Crypto and unioncrypto[.]vip, respectively—\r\nthat appear legitimate.\r\nFor a downloadable copy of IOCs, see: MAR-10322463-3.v1.stix.\r\nSubmitted Files (8)\r\n01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f (UnionCryptoUpdater.exe)\r\n0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36 (UnionCryptoTrader.exe)\r\n2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390 (UnionCryptoTrader.dmg)\r\n631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680 (unioncryptoupdater)\r\n6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0 (UnionCryptoTrader)\r\n755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 (NodeDLL.dll)\r\naf4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 (UnionCryptoTrader.msi)\r\ne3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774 (UnionCryptoSetup.exe)\r\nDomains (1)\r\nunioncrypto.vip\r\nIPs (1)\r\n216.189.150.185\r\nFindings\r\ne3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774\r\nTags\r\ntrojan\r\nDetails\r\nName UnionCryptoSetup.exe\r\nSize 30330443 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 24b3614d5c5e53e40b42b4e057001770\r\nSHA1 b040433fb50d679b2e287d7fcc1667a415fb60b0\r\nSHA256 e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774\r\nSHA512 55e9c7f59189e395b6b348d9fa8b4b907d0cedd790a33603a49ac857f5a07b205f8787fab0c7a9954e992852e6e5090f3cbf2243e86bb2546\r\nssdeep 786432:Dj2fi5nBGPBMNekleUtOaZ13vcdkIXX0kfp:+65AP+QAeUtOKvc+c0kR\r\nEntropy 7.984564\r\nAntivirus\r\nFilseclab W32.ELEX.L.erpg.mg\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 2 of 18\n\nMicrosoft Security Essentials Trojan:Win32/UnionCryptoTrader!ibt\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-09-20 09:08:01-04:00\r\nImport Hash cbc19a820310308f17b0a7c562d044e0\r\nCompany Name UnionCrypto Co.Ltd\r\nFile Description Union Crypto Trader\r\nInternal Name UnionCryptoTraderSetup.exe\r\nLegal Copyright © UnionCrypto Corporation. All Rights Reserved.\r\nOriginal Filename UnionCryptoTraderSetup.exe\r\nProduct Name Union Crypto Trader\r\nProduct Version 1.0.23.474\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n566abfd43bde6dda239bf28ac9b087ae header 1024 2.960546\r\n764b34cabee1111c9e11c8f836aebafb .text 608256 6.539792\r\n7989312225f01ce65374248a3e73a557 .rdata 189440 4.588598\r\n1ac52732b5e747734a833e523cd8f27f .data 10240 4.418143\r\n3afae9bb129e782e05f70b3416946646 .rsrc 434688 6.340500\r\nd11bf51446bb40b38f82ba6ce1f57dc4 .reloc 162816 2.478756\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ ?.?\r\nRelationships\r\ne3623c2440... Contains af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nDescription\r\nThis Windows program from the Union Crypto Trader site is a Windows executable. This executable is actually an installer,\r\nand will first extract a temporary MSI named UnionCryptoTrader.msi\r\n(af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49) to the “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\{82E4B719-90F7-4BD1-9CF1-56CD777E0C42}” folder, which will be executed by\r\n\"UnionCryptoTraderSetup.exe\" and deleted after it successfully completes the installation.\r\nunioncrypto.vip\r\nTags\r\ncommand-and-control\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 3 of 18\n\nURLs\r\nhxxps[:]//unioncrypto.vip/update\r\nhxxps[:]//www[.]unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN\r\nWhois\r\nWhois for unioncrypto.vip had the following information on December 8, 2019:\r\nRegistrar: NameCheap\r\nCreated: June 5, 2019\r\nExpires: June 5, 2020\r\nUpdated: June 5, 2019\r\nRelationships\r\nunioncrypto.vip Downloaded_To 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nunioncrypto.vip Downloaded_To 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\nDescription\r\nWhile this site is no longer available, a download link of\r\nhxxps[:]//www[.]unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN was discovered by a cyber-security\r\nresearcher and is recorded on VirusTotal for the OSX version of UnionCryptoTrader. In contrast, open source reporting\r\ndisclosed the Windows version may have been downloaded via Telegram, as it was found in a “Telegram Downloads” folder\r\non an unnamed victim. Union Crypto Trader has a legitimately signed Sectigo SSL certificate, which was “Domain Control\r\nValidated” just as the previous version certificates. .\r\nThe domain is registered with NameCheap at the IP address 104.168.167.16 with ASN 54290.\r\nScreenshots\r\nFigure 1 - Screenshot of the Union Crypto Trader website.\r\naf4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nTags\r\ndropper\r\nDetails\r\nName UnionCryptoTrader.msi\r\nSize 14634496 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Save\r\nInstallShield, Number of Words: 0, Title: Union Crypto Trader, Comments: Contact: Your local administrator, Keywords: Installer, Subj\r\nCryptocurrency Arbitrage Trading Platform, Author: UnionCryptoTrader, Security: 1, Number of Pages: 200, Name of Creating Applica\r\nInstallShield 2018 - Premier Edition with Virtualization Pack 24, Last Saved Time/Date: Tue Aug 6 23:59:58 2019, Create Time/Date: T\r\n23:59:58 2019, Last Printed: Tue Aug 6 23:59:58 2019, Revision Number: {44311F94-C85D-4688-996A-4888F2D32062}, Code page:\r\nx64;1033\r\nMD5 0f03ec3487578cef2398b5b732631fec\r\nSHA1 349fb7c922fba6da4bf5c2a3a9e0735f11068dac\r\nSHA256 af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nSHA512 f2aa24d96daf090f3a29b5536f3ce0a9a59171b7fdb85887bc32ea6c5305e5ee03153b2c402399dd05a28d6fa90a3e979cc8153fd69686b5bb\r\nssdeep 393216:zDea98QM1lKTmbHJdgXuUSCve2TN4ksIVVYlm6j8ziFS:XeanAKTuHbd9Ye2qpj8Og\r\nEntropy 7.948615\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 4 of 18\n\nTrendMicro TROJ_FR.DEFD7DB1\r\nTrendMicro House Call TROJ_FR.DEFD7DB1\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\naf4144c1f0... Contained_Within e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774\r\naf4144c1f0... Contains 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\naf4144c1f0... Contains 0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36\r\nDescription\r\nThis Windows program is a Windows MSI Installer. The MSI installer will install \"UnionCryptoTrader.exe\"\r\n(0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36) in the “C:\\Program\r\nFiles\\UnionCryptoTrader” folder and also install UnionCryptoUpdater.exe\r\n(01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f) in the “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\UnionCryptoTrader” folder. Immediately after installation, the installer launches\r\n\"UnionCryptoUpdater.exe.\"\r\nScreenshots\r\nFigure 2 - Screenshot of the UnionCryptoTrader Installation.\r\n0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36\r\nTags\r\ntrojan\r\nDetails\r\nName UnionCryptoTrader.exe\r\nSize 1286144 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 46b3061fe981d0a5edfd8d55f75adf9f\r\nSHA1 514263acf79aeb49d87192ae08f6c76854cdda12\r\nSHA256 0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36\r\nSHA512 38418a2f3a8870352d8a88d6fb48e2c93a35b48a559590beb12c7c507eadfd07bf087ea11e822fc3e7bc9d6710b17cb68c416ffcf87a787ed9\r\nssdeep 24576:fnrKym9OWCy0frP+1obeVbK8KW/TJ9+FCPjjcym8MUml:fnrKb9OWCy0q1obeVbPKW/TKcjlmhUml\r\nEntropy 6.414530\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 5 of 18\n\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-08-06 21:22:00-04:00\r\nImport Hash e0f869ddf0b356ab31c5676591e890ed\r\nCompany Name UnionCrypto Co.Ltd\r\nFile Description Union Crypto Trader\r\nInternal Name UnionCryptoTrader.exe\r\nLegal Copyright © UnionCrypto Corporation. All rights reserved.\r\nOriginal Filename UnionCryptoTrader.exe\r\nProduct Name Union Crypto Trader\r\nProduct Version 1.00.0000\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n8a496cd41319fdb127a000e7a43bdfd4 header 1024 3.518197\r\n686f2fe8e51a4327d3e25e937c5eb1cc .text 878080 6.431878\r\n8f5b24579aaf7ecbc95b26614cf51e8c .rdata 230912 5.566823\r\n91b3d6678654de37caa94b211aae696e .data 15360 4.052861\r\naf667013369aea1785ada0e5442bcf07 .pdata 41472 6.082142\r\naced93d352d733478dc51a779aef0c62 .gfids 512 0.317810\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\n285d8a234d06cfb54adffe2eb077a2fe .rsrc 113664 3.831914\r\n241aeb18e88145608a8b273404896f72 .reloc 4608 5.365584\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n0967d2f122... Contained_Within af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nDescription\r\nThis file is a 64-bit Windows executable contained within the Windows MSI Installer \"UnionCryptoTrader.msi.\" When\r\nexecuted, \"UnionCryptoTrader.exe\" loads a legitimate cryptocurrency arbitrage application with no signs of malicious\r\nactivity. (Note: arbitrage is defined as “the simultaneous buying and selling of securities, currency, or commodities in\r\ndifferent markets or in derivative forms in order to take advantage of differing prices for the same asset”).\r\nThis application does not appear to be a modification of the Windows QT Bitcoin Trader, but may be a modification of\r\nBlackbird Bitcoin Arbitrage.\r\nIn addition to the \"unioncrypto.vip\" site describing \"UnionCryptoTrader.exe\" as a “Smart Cryptocurrency Arbitrage Trading\r\nPlatform,\" many of the strings found in \"UnionCryptoTrader.exe\" have references to Blackbird Bitcoin Arbitrage including\r\nbut not limited to:\r\n--Begin similarities--\r\nBlackbird Bitcoin Arbitrage\r\n| Blackbird Bitcoin Arbitrage Log File |\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 6 of 18\n\noutput/blackbird_result_\r\noutput\\blackbird_log_\r\nERROR: Blackbird needs at least two Bitcoin exchanges. Please edit the config.json file to add new exchanges\r\n--End similarities--\r\nThe strings also contain the links and references to all fourteen exchanges listed as implemented or potential on the\r\nBlackbird GitHub page. In addition, the \"config.txt\" file found in the “C:\\Program Files\\UnionCryptoTrader” folder with\r\n\"UnionCryptoTrader.exe\" also contains references to all fourteen exchanges, as well as sets the database file to\r\n\"blackbird.db.\" The file \"blackbird.db\" is also found in the same folder.\r\nScreenshots\r\nFigure 3 - Screenshot of the \"UnionCryptoTrader.exe\"application.\r\n01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\nTags\r\ntrojan\r\nDetails\r\nName UnionCryptoUpdater.exe\r\nSize 161280 bytes\r\nType PE32+ executable (console) x86-64, for MS Windows\r\nMD5 629b9de3e4b84b4a0aa605a3e9471b31\r\nSHA1 1ef0e1cabd344726b663cec8d9e68f147259da55\r\nSHA256 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\nSHA512 c70abbe52cbbed220fee218664d1c5f4313bd5387de11c275aa31115e90328dac032c6138954f3931c7d134e8613ad6c278ed29d78c0dc819\r\nssdeep 3072:Q/MdytyORF471FiHNkwBFTdpSI94e1ZVypzCG9n7r:Q/ftvF471AHNFjdYIZOt\r\nEntropy 6.192246\r\nAntivirus\r\nAvira TR/Agent.pfpad\r\nBitDefender Trojan.GenericKD.33626108\r\nComodo Malware\r\nESET a variant of Win64/Agent.UV trojan\r\nEmsisoft Trojan.GenericKD.33626108 (B)\r\nIkarus Trojan.Win64.Agent\r\nK7 Trojan ( 0056425b1 )\r\nLavasoft Trojan.GenericKD.33626108\r\nMcAfee Trojan-Agent.c\r\nNANOAV Trojan.Win64.Mlw.icfhya\r\nSymantec Trojan.Gen.2\r\nTACHYON Trojan/W64.Agent.161280.C\r\nTrendMicro TROJ_FR.DEFD7DB1\r\nTrendMicro House Call TROJ_FR.DEFD7DB1\r\nVirusBlokAda Trojan.Win64.Agentb\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 7 of 18\n\nZillya! Trojan.Agent.Win64.5106\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-08-06 22:00:26-04:00\r\nImport Hash e217501515a13bba8aefe7dcf3b74f33\r\nCompany Name UnionCrypto Co.Ltd\r\nFile Description Union Crypto Trading Updater\r\nInternal Name unioncryptoupdater.exe\r\nLegal Copyright © UnionCrypto Corporation. All rights reserved.\r\nOriginal Filename unioncryptoupdater.exe\r\nProduct Name Union Crypto Trading Updater\r\nProduct Version 1.0.23.474\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n9b73650178bdd95af246609c1b650253 header 1024 3.045187\r\nac3f61418ff1daa9142e2304a647c2aa .text 98816 6.452850\r\ncc2de13f05d38702ac9a560e450ab54a .rdata 48128 5.088494\r\n20ef8fb99461ca48fe9ed26ffb4cc26c .data 3072 2.234569\r\nabf07cda1f35bf5fe4a9ac21de63f903 .pdata 6144 5.155358\r\n3eab486bdf211a98334f08a5145dbf94 .gfids 512 1.857174\r\nc9ab77353b20e3b22c344b60c8859d56 .rsrc 1536 3.943344\r\na9cd219d9ad71f6c2c60efc1308885c8 .reloc 2048 4.924725\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n01c13f825e... Downloaded 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\n01c13f825e... Contained_Within af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nDescription\r\nThis file is a 64-bit Windows executable contained within the Windows MSI Installer \"UnionCryptoTrader.msi.\" When\r\nexecuted, \"UnionCryptoUpdater.exe\" first installs itself as a service, which will automatically start when any user logs on.\r\nThe service is installed with a description stating it “Automatically installs updates for Union Crypto Trader.\"\r\nAfter installing the service, \"UnionCryptoUpdater.exe\" collects different information about the system the malware is\r\nrunning on. Specifically, it uses Windows Management Instrumentation (WMI) Query Language (WQL) to collect this\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 8 of 18\n\ninformation. \"UnionCryptoUpdater.exe\" first finds the BIOS Serial Number by using the “SELECT * FROM Win32_Bios”\r\nWMI filter as a WQL Query String (Figure 4).\r\nThis returns SMBBIOSBIOSVersion, Manufacturer, Name, SerialNumber, and Version. The function later pulls the\r\n“SerialNumber” from this returned data (Figure 5).\r\nThe same process is followed to pull the operating system version and build number. The WQL Query String is “SELECT *\r\nFROM Win32_OperatingSystem,\" and the fields pulled are “Caption” and “BuildNumber.\" Note that the “Caption” field\r\ncontains the OS version for the computer running the malware.\r\nAfter collecting the system data, \"UnionCryptoUpdater.exe\" then builds a string consisting of the current time and the hard-coded value “12GWAPCT1F0I1S14.\" The current time is stored in the \"auth_timestamp\" variable.\r\nThis combined string is MD5 hashed and stored in the \"auth_signature\" variable. These variables are sent in the first\r\ncommunication to the command and control (C2) server, and are likely used to verify any connections to the server are\r\nactually originating from the \"UnionCryptoUpdater.exe\" malware.\r\nThese variables are sent via a POST the C2 hxxps[:]//unioncrypto.vip/update along with the collected system data. The\r\nsystem data is sent in this specific format:\r\n--Begin format--\r\nrlz=[BIOS serial number]\u0026ei=[OS Version] (BuildNumber)\u0026act=check\r\n--End format--\r\nThese values, along with a hard-coded User Agent String of “Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36” can be found in the malware data\r\nsection.\r\nIf the POST is successful (i.e. returns an HTTP response status code of 200), but returns a string of “0”,\r\nUnionCryptoUpdater.exe will sleep for ten minutes and then regenerate the \"auth_timestamp\" and \"auth_signature\" to\r\ncontact the C2 again.\r\nIf the POST is successful and the C2 server does not return the string “0”, the malware will decode the base64 payload and\r\ndecrypt it. It then uses built in C++ functions to allocate memory, write the payload to memory, and executes the payload. If\r\nthis is successful, the malware will send another POST to the C2 with the value “act=done” replacing the “act=check” for\r\nthe previously specified format (Figure 9).\r\nScreenshots\r\nFigure 4 - Screenshot of the \"UnionCryptoUpdater\" Service.\r\nFigure 5 - Screenshot of the \"SELECT * FROM Win32_Bios\" query string.\r\nFigure 6 - Screenshot of the \"SerialNumber\" selection.\r\nFigure 7 - Screenshot of the \"UnionCryptoUpdater.exe\" getting current time and combining with hard-coded value.\r\nFigure 8 - Screenshot of the hard-coded values and User Agent in \"UnionCryptoUpdater.exe.\"\r\nFigure 9 - Screenshot of the hard-coded \"\u0026act=done\" value.\r\n755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\nTags\r\ntrojan\r\nDetails\r\nName NodeDLL.dll\r\nSize 537616 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 549db64ceaebbbdd9068d761cb5c616c\r\nSHA1 6d91ce7b9f38e2316aa9fb50ececc02eadc4cd70\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 9 of 18\n\nSHA256 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\nSHA512 0281257ad97e0765b57d29bb22fe9973f4ad5c42a93762eda1b12e71f78d02155fe32eda4ccd4acadbfccf61563175c28c520df5b63169857\r\nssdeep 12288:FOvSQSQs75paRGK9EovEfM9NosCz4jcauwVyZE19QLC:Mv0VpkGYvI6NAz4j5LV6+\r\nEntropy 6.433002\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-21 12:33:45-04:00\r\nImport Hash c24e1d44f912d970e41414c324d04158\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n41f1664ee936eb5e9c5a402b9f791086 header 1024 3.215046\r\nd7c3e5262e243bfd078cc689c0dcc509 .text 393728 6.418398\r\n0155d4e1f35b8f139d07993866f1e2f6 .rdata 115200 5.560875\r\n67b68408aebc7de9f6019e94ab5cf2ce .data 3584 2.251912\r\n809c1804672ec420bb9f366f30b025fb .pdata 20480 5.768325\r\n7eb4b39b296be7f4de3339727d0f1eb0 .gfids 512 1.995088\r\n28984c1ba2156023b894e0041ecd2479 .rsrc 512 4.724729\r\n1c7de4ac5824c7b888e15c611cb69191 .reloc 2560 5.180527\r\nRelationships\r\n755bd7a376... Downloaded_By 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\n755bd7a376... Downloaded_From unioncrypto.vip\r\n755bd7a376... Connected_To 216.189.150.185\r\nDescription\r\nThis file is a 64-bit dynamic-link library (DLL). This file was identified as a payload for the Windows malware. This stage 2\r\nis not immediately downloaded by \"UnionCryptoUpdater.exe,\" but instead is downloaded after a period of time likely\r\nspecified by the C2 server at \"hxxps[:]//unioncrypto.vip/update.\" This delay could be implemented to prevent researchers\r\nfrom immediately obtaining the stage 2 malware.\r\nThe C2 and build path are visible from the \"NodeDLL.dll\" strings. The C2 for the malware is\r\nhxxp[:]//216.189.150.185:8080/push.jsp.\r\nThe build path found in the strings is “Z:\\Opal\\bin\\x64_Release\\NodeDll.pdb.\" This stage 2 is likely part of a project named\r\n“Opal” by the actors, due to the folder in the build path.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 10 of 18\n\nNodeDLL.dll has multiple functionalities which can be verified by examining the program imports and strings.\r\nFunctionalities with corresponding strings/imports include but are not limited to:\r\n1. Get/Update implant configuration\r\n   a. Imports: GetComputerNameA, GetCurrentDirectoryW, GetStartupInfoW, GetTimeZoneInformation\r\n   b. Strings: CurrentUser\r\n2. Get/Put a file or directory\r\n   a. Imports: WriteFile\r\n3. Execute a program\r\n   a. Imports: CreateProcessW\r\n4. Directory listing\r\n   a. Imports: GetCurrentDirectoryW\r\n5. Active Drive Listing (C:\\, D:\\, etc.)\r\n   a. Imports: GetLogicalDrives, GetDriveTypeW\r\n6. Move a file/directory\r\n   a. Imports: CreateDirectoryW, MoveFileExW\r\n7. Delete a file/directory\r\n   a. Imports: DeleteFileW\r\n8. Screenshot active desktop\r\n   a. Imports: GetDIBits, CreateCompatibleBitmap, BitBlt, etc from gdi32\r\n9. Execute a shell command through cmd.exe\r\n   a. Imports: GetCommandLineW, GetCommandLineA, CreateProcessAsUserW\r\n10. Check IPv4 TCP connectivity against specified target\r\n   a. Imports: connect, bind, send, socket, getaddrinfo, etc. from ws2_32\r\n   b. Strings: Network unreachable, HTTP/1.%d %d, httponly, Remote file not found\r\n11. Update configuration (beacon interval, AP address, etc.)\r\n   a. Strings: Host: %s%s%s:%d, Set-Cookie:\r\nThe \"NodeDLL.dll\" strings also show a hard-coded user agent string: “Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134”. Finally, a format string\r\nwhich matches the HostUS C2 is found in the strings: \"%s://%s%s%s:%d%s%s%s,\" along with many references to proxies\r\nor proxy configurations.\r\n216.189.150.185\r\nTags\r\ncommand-and-control\r\nURLs\r\n216.189.150.185:8080/push.jsp\r\nPorts\r\n8080 TCP\r\nWhois\r\nQueried whois.arin.net with \"n 216.189.150.185\"...\r\nNetRange:     216.189.144.0 - 216.189.159.255\r\nCIDR:         216.189.144.0/20\r\nNetName:        HOSTUS-IPV4-3\r\nNetHandle:     NET-216-189-144-0-1\r\nParent:         NET216 (NET-216-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS7489, AS25926\r\nOrganization: HostUS (HOSTU-4)\r\nRegDate:        2014-08-29\r\nUpdated:        2015-12-29\r\nComment:        Please send all abuse reports to abuse@hostus.us\r\nRef:            https://rdap.arin.net/registry/ip/216.189.144.0\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 11 of 18\n\nOrgName:        HostUS\r\nOrgId:         HOSTU-4\r\nAddress:        125 N Myers St\r\nCity:         Charlotte\r\nStateProv:     NC\r\nPostalCode:     28202\r\nCountry:        US\r\nRegDate:        2013-07-26\r\nUpdated:        2019-10-23\r\nComment:        IP addresses from this network are further reallocated or assigned to customers.\r\nComment:        Please send all abuse reports to abuse@hostus.us.\r\nComment:        Abuse reports must be submitted through email with the IP address in title.\r\nRef:            https://rdap.arin.net/registry/entity/HOSTU-4\r\nOrgNOCHandle: HOSTU2-ARIN\r\nOrgNOCName: HostUS Tech\r\nOrgNOCPhone: +1-302-300-1737\r\nOrgNOCEmail: noc@hostus.us\r\nOrgNOCRef:    https://rdap.arin.net/registry/entity/HOSTU2-ARIN\r\nOrgAbuseHandle: HAD18-ARIN\r\nOrgAbuseName: HostUS Abuse Desk\r\nOrgAbusePhone: +1-302-300-1737\r\nOrgAbuseEmail: abuse@hostus.us\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/HAD18-ARIN\r\nOrgTechHandle: HOSTU2-ARIN\r\nOrgTechName: HostUS Tech\r\nOrgTechPhone: +1-302-300-1737\r\nOrgTechEmail: noc@hostus.us\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/HOSTU2-ARIN\r\nRelationships\r\n216.189.150.185 Connected_From 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\nDescription\r\nThe C2 identified for NodeDLL.dll. The IP address 216.189.150.185 has ASN 7489 and is owned by HostUS.\r\n2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nTags\r\nbackdoordownloaderloadertrojan\r\nDetails\r\nName UnionCryptoTrader.dmg\r\nSize 20911661 bytes\r\nType zlib compressed data\r\nMD5 6588d262529dc372c400bef8478c2eec\r\nSHA1 06d9f835efd1c05323f6a3abdf66e6be334e47c4\r\nSHA256 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nSHA512 4a90cd71e210662c3e21994a6af6d80f45c394b972d85ba725dc0e33721036c38b68829ca831113276cbea891fc075e1fa9911aad1fc647b0\r\nssdeep 393216:psbbiMqkRiP3p+/34QRDCLqKbNH40iBNTnz0xcECffBJrd8ur8dx3PAxC9lG:WbipIM3p+/TBvBN0xcRmur8dxIxC9l\r\nEntropy 7.997189\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 12 of 18\n\nAntivirus\r\nAhnlab Backdoor/OSX.Nukesped.20911661\r\nAntiy Trojan/Mac.NukeSped\r\nAvira OSX/Dldr.NukeSped.rtyrb\r\nBitDefender Trojan.MAC.Lazarus.F\r\nCyren Trojan.PXZN-6\r\nESET OSX/TrojanDownloader.NukeSped.B trojan\r\nEmsisoft Trojan.MAC.Lazarus.F (B)\r\nIkarus Trojan-Downloader.OSX.Nukesped\r\nK7 Trojan ( 0001140e1 )\r\nLavasoft Trojan.MAC.Lazarus.F\r\nMcAfee OSX/Nukesped.b\r\nMicrosoft Security Essentials Trojan:MacOS/NukeSped.C!MTB\r\nSophos OSX/NukeSped-AB\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro Trojan.3657DE58\r\nTrendMicro House Call Trojan.3657DE58\r\nZillya! Downloader.Agent.OSX.68\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n2ab58b7ce5... Downloaded_From unioncrypto.vip\r\n2ab58b7ce5... Contains 6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0\r\n2ab58b7ce5... Contains 631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680\r\nDescription\r\nThis OSX program from the \"UnionCrypto\" download link is an Apple DMG installer.\r\nThe OSX program does not have a digital signature, and will warn the user of that before installation. Just as previous\r\nversions, the UnionCrypto installer appears to be legitimate and installs both “UnionCryptoTrader”\r\n(6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0) in the\r\n“/Applications/UnionCryptoTrader.app/Contents/MacOS/” folder and a hidden program named “.unioncryptoupdater”\r\n(631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680) in the\r\n“/Applications/UnionCryptoTrader.app/Contents/Resources/” folder. The installer contains a postinstall script (see figure\r\n10).\r\nThis postinstall script is identical in functionality to the postinstall script for the second version. It moves the hidden plist\r\nfile (.vip.unioncrypto.plist) to the LaunchDaemons folder and changes the file permissions for the plist to be owned by root.\r\nOnce in the LaunchDaemons folder, this program will be ran on system load as root for every user. This will launch the\r\nunioncryptoupdater program.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 13 of 18\n\nThe postinstall script also moves the hidden “.unioncryptoupdater” binary to a new location\r\n“/Library/UnionCrypto/unioncryptoupdater” and makes the file executable. As the LaunchDaemon will not be run\r\nimmediately after the plist file is moved, the postinstall script then launches the unioncryptoupdater program in the\r\nbackground (\u0026). In contrast to the CelasTradePro “Updater” binary and JMTTrader “CrashReporter” binary, the\r\nunioncryptoupdater binary is not launched with any parameters.\r\nScreenshots\r\nFigure 10 - Screenshot of the postinstall script included in UnionCryptoTrader installer.\r\nFigure 11 - Screenshot of the \"vip.unioncrypto.plist\" file.\r\n6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0\r\nTags\r\ntrojan\r\nDetails\r\nName UnionCryptoTrader\r\nSize 1602900 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE\u003e\r\nMD5 41587b0dd5104a4ee6484ff8cf47fd21\r\nSHA1 bd41cb308913c4964aef47edafd36faa1f673717\r\nSHA256 6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0\r\nSHA512 efaf37208ee17967df8c435e592b2029d8e56aabd92ca989704bf7908399bf9e84b6312b928fb89907d72518ef40ae95ac6feeb1a19044231b\r\nssdeep 49152:2ScN8VPSplcFjsmEWe7JEANYIwErVqpxPM0:M40ltBWeFuHbE0\r\nEntropy 6.459336\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n6f45a004ad... Contained_Within 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nDescription\r\nThis OSX sample was contained within Apple DMG Installer \"UnionCryptoTrader.dmg.\" When executed,\r\nUnionCryptoTrader loads a legitimate cryptocurrency arbitrage application with no signs of malicious activity. (Note:\r\narbitrage is defined as “the simultaneous buying and selling of securities, currency, or commodities in different markets or in\r\nderivative forms in order to take advantage of differing prices for the same asset”). This application does not appear to be a\r\nmodification of the OSX QT Bitcoin Trader, but may be a modification of Blackbird Bitcoin Arbitrage11.\r\nIn addition to the \"unioncrypto.vip\" site describing UnionCryptoTrader as a “Smart Cryptocurrency Arbitrage Trading\r\nPlatform,\" may of the strings found in UnionCryptoTrader have references to Blackbird Bitcoin Arbitrage including but not\r\nlimited to:\r\n--Begin similarities--\r\nBlackbird Bitcoin Arbitrage\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 14 of 18\n\n| Blackbird Bitcoin Arbitrage Log File |\r\noutput/blackbird_result_\r\noutput/blackbird_log_\r\nERROR: Blackbird needs at least two Bitcoin exchanges. Please edit the config.json file to add new exchanges\r\n--End similarities--\r\nThe strings also contain the links and references to all fourteen exchanges listed as implemented or potential on the\r\nBlackbird GitHub page.\r\n631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680\r\nTags\r\nbackdoordownloaderloadertrojan\r\nDetails\r\nName unioncryptoupdater\r\nSize 79760 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE\u003e\r\nMD5 da17802bc8d3eca26b7752e93f33034b\r\nSHA1 e8f29f1e3f35a4f2c18be424551e280ed66b1dd7\r\nSHA256 631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680\r\nSHA512 a32672fa780675e767e37fa1b8d186951cb934279cb416766c518a7d6f76b6521176a5055045c0af7ec1ce5f9882a952ed8761b54f9cb1258\r\nssdeep 1536:4YGnCXIbO9KBQJELi6VA2l5+r1M6JBM4YQNVZ3MpJy5TU23MpJy5Tp:3eCYK5JEBXaM6Jq4p3MpJy5Tb3MpJy5T\r\nEntropy 4.871481\r\nAntivirus\r\nAhnlab Backdoor/OSX.Nukesped.79760\r\nAntiy Trojan/Mac.NukeSped\r\nAvira OSX/Agent.hwuxh\r\nBitDefender Trojan.MAC.Lazarus.D\r\nClamAV Osx.Malware.Agent-7430998-0\r\nESET OSX/TrojanDownloader.NukeSped.B trojan\r\nEmsisoft Trojan.MAC.Lazarus.D (B)\r\nIkarus Trojan-Downloader.OSX.Nukesped\r\nK7 Trojan ( 0001140e1 )\r\nLavasoft Trojan.MAC.Lazarus.D\r\nMcAfee OSX/Lazarus.b\r\nMicrosoft Security Essentials Trojan:MacOS/NukeSped.C!MTB\r\nNANOAV Trojan.Mac.Download.gknigf\r\nQuick Heal MacOS.Trojan.39995.GC\r\nSophos OSX/Lazarus-F\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro TROJ_FR.ED65B0ED\r\nTrendMicro House Call TROJ_FR.ED65B0ED\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 15 of 18\n\nZillya! Downloader.NukeSped.OSX.6\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n631ac26992... Contained_Within 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nDescription\r\nThis OSX sample was contained within Apple DMG Installer \"UnionCryptoTrader.dmg.\" This malware is signed adhoc,\r\nmeaning it is not signed with a valid code signing ID.\r\nWhen executed, unioncryptoupdater immediately calls the “onRun()” function, which contains most of the logic and\r\nfunctionality for this malware. This function first collects different information about the system the malware is running on.\r\nIt uses IOKit, which is an Apple framework designed to allow programs to gain user-access to hardware devices and drivers.\r\nIOKit is specifically used to retrieve the system serial number with IOPlatformSerialNumber global variable (Figure 12).\r\nThe function then collects the operating system version by reading the system file at\r\n“/System/Library/CoreServices/SystemVersion.plist,\" and specifically extracting the ProductVersion and\r\nProductBuildVersion from the system file (Figure 13).\r\nAfter collecting the system data, unioncryptoupdater then builds a string consisting of the current time and the hard-coded\r\nvalue “12GWAPCT1F0I1S14\" (Figure 14).\r\nThis string is MD5 hashed and stored in the \"auth_signature\" variable and the current time (used to create string for\r\n\"auth_signature\") in the \"auth_timestamp\" variable. These variables are sent in the first communication to the C2 server and\r\nare likely used to verify any connections to the server are actually originating from the unioncryptoupdater malware.\r\nAll collected data and the \"auth_signature\" and \"auth_timestamp\" are sent to hxxps[:]//unioncrypto.vip/update using the\r\nBarbeque::post() method. The Barbeque class is custom made C++ class which has both a post() and a get() method, which\r\nutilize libcurl to perform network communications for the malware. Barbeque::post() sends the system data in this specific\r\nformat:\r\n--Begin format--\r\nrlz=[device serial number]\u0026ei=[ProductVersion] (ProductBuildVersion)\u0026act=check\r\n--End format--\r\nThese values are found as described above or are hard-coded into the malware data section (Figure 15).\r\nIf the C2 server returns the string “0,\" unioncryptotrader will sleep for ten minutes and then regenerate the auth_timestamp\r\nand auth_signature to contact the C2 again via the same Barbeque::post() method.\r\nIf the C2 server does not return the string “0,\" the malware will decode the base64 payload, and decrypt it using the C++\r\naes_decrypt_cbc function. After decryption, the malware uses the OSX function mmap to allocate memory with read, write,\r\nand execute permissions. This is specified by the 7 loaded into the edx register before mmap is called. (Note: the 7, or binary\r\n111, comes from OR’ing the read (100), write (010), and execute (001) binary values together, just as file permissions are\r\noften set). If mmap is successful in allocating the memory, the function then uses memcpy to copy the decrypted payload\r\ninto the mmap’d memory region (Figure 16).\r\nAfter the decrypted payload is copied into memory, unioncryptoupdater calls a function named memory_exec2, which\r\nutilizes Apple API NSCreateObjectFileImageFromMemory to create an “object file image” from the memory, and Apple\r\nAPI NSLinkModule to link the “object file image”. The API calls are necessary to allow the payload in memory to execute,\r\nas files in memory are not simply able to execute as files on disk are (Figure 17).\r\nOnce the malware has mapped and linked the payload in memory, it searches the mapped memory for “0xfeedfacf,\" which is\r\nthe magic number for 64-bit OSX executables. This check is likely included to verify the payload was properly decoded,\r\ndecrypted, and memory mapped before attempting execution (Figure 18).\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 16 of 18\n\nAfter verifying the magic number, the malware searches for the address 0x80000028, which is the address of the LC_MAIN\r\nLoad Command. Load Commands are similar to a table of contents for an OSX executable which contain commands and\r\ncommand positions in the binary. Offset 0x8 of the LC_MAIN load command contains the offset of the OSX executable\r\nentry point (Figure 19). This entry point is placed in register r8, and is called by the malware.\r\nThis process of allocating memory, copying the payload into memory, and calling the entry point achieves pure in-memory\r\nexecution of the remotely downloaded payload. As such, if this is successful, the payload can be executed exclusively in\r\nmemory and is never copied to disk.\r\nIf any part of the memory code execution process fails, unioncryptoupdater will write the received payload to\r\n“/tmp/updater” instead and execute it with a call to system (Figure 20).\r\nThe payload for this OSX malware could not be downloaded, as the C2 server \"unioncrypto.vip/update\" is no longer\r\naccessible. In addition, the payload was not identified in open source reporting.\r\nScreenshots\r\nFigure 12 - Screenshot of the IOPlatformSerialNumber reference in unioncryptoupdater.\r\nFigure 13 - Screenshot of the unioncryptoupdater collecting OS version.\r\nFigure 14 - Screenshot of unioncryptoupdater getting current time and combining with hard-coded value.\r\nFigure 15 - Screenshot of the various hard-coded values in unioncryptoupdater.\r\nFigure 16 - Screenshot of mmap and memcpy in unioncryptoupdater.\r\nFigure 17 - Screenshot of NSCreateObjectFileImageFromMemory.\r\nFigure 18 - Screenshot of 39FEEDFACF in unioncryptoupdater.\r\nFigure 19 - Screenshot of the load and call entry point of payload.\r\nFigure 20 - Screenshot of the write payload to disk and execute.\r\nRelationship Summary\r\ne3623c2440... Contains af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\nunioncrypto.vip Downloaded_To 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nunioncrypto.vip Downloaded_To 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\naf4144c1f0... Contained_Within e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774\r\naf4144c1f0... Contains 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\naf4144c1f0... Contains 0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36\r\n0967d2f122... Contained_Within af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\n01c13f825e... Downloaded 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\n01c13f825e... Contained_Within af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49\r\n755bd7a376... Downloaded_By 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f\r\n755bd7a376... Downloaded_From unioncrypto.vip\r\n755bd7a376... Connected_To 216.189.150.185\r\n216.189.150.185 Connected_From 755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3\r\n2ab58b7ce5... Downloaded_From unioncrypto.vip\r\n2ab58b7ce5... Contains 6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0\r\n2ab58b7ce5... Contains 631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680\r\n6f45a004ad... Contained_Within 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\n631ac26992... Contained_Within 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 17 of 18\n\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c" ], "report_names": [ "ar21-048c" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434496, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a34a18dc09b178cf315c2e34384beabbf5703421.pdf", "text": "https://archive.orkl.eu/a34a18dc09b178cf315c2e34384beabbf5703421.txt", "img": "https://archive.orkl.eu/a34a18dc09b178cf315c2e34384beabbf5703421.jpg" } }