{
	"id": "deb8b26f-a09e-4a39-9f35-7136cf04b8c3",
	"created_at": "2026-04-10T03:21:30.366595Z",
	"updated_at": "2026-04-10T13:12:04.517879Z",
	"deleted_at": null,
	"sha1_hash": "bde4ec0468f38d92ab5b348511c98675d1c0ec92",
	"title": "MAR-10322463-6.v1 - AppleJeus: Dorusio | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83878,
	"plain_text": "MAR-10322463-6.v1 - AppleJeus: Dorusio | CISA\r\nPublished: 2021-02-17 · Archived: 2026-04-10 02:30:10 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber\r\nthreat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and\r\nprovide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus\r\nGroup—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is\r\ntargeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the\r\ndissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of\r\ncryptocurrency.\r\nThis MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by\r\nthe North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see\r\nJoint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at\r\nhttps://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 1 of 11\n\nThere have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most\r\nversions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an\r\nunsuspecting individual downloads a third-party application from a website that appears legitimate.\r\nThe U.S. Government has identified AppleJeus malware version—Dorusio—and associated IOCs used by the North Korean\r\ngovernment in AppleJeus operations. Some information has been redacted from this report to preserve victim anonymity.\r\nDorusio, discovered in March 2020, is a legitimate-looking cryptocurrency trading software that is marketed and distributed\r\nby a company and website— Dorusio Wallet and dorusio[.]com, respectively—that appear legitimate. There are Windows\r\nand OSX versions of Dorusio Wallet. As of at least early 2020, the actual download links result in 404 errors. The download\r\npage has release notes with version revisions claiming to start with Version 1.0.0, which was released on April 15, 2019.\r\nFor a downloadable copy of IOCs, see: MAR-10322463-6.v1.stix.\r\nSubmitted Files (6)\r\n[Redacted] (dorusio_osx_v2.1.0.dmg)\r\n21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831 (DorusioUpgrade.exe)\r\n[Redacted] (dorusio_win_v2.1.0.msi)\r\n78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f (Dorusio.exe)\r\na0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492 (Dorusio)\r\ndcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61 (dorusio_upgrade)\r\nDomains (1)\r\ndorusio.com\r\nFindings\r\n[Redacted]\r\nTags\r\ndroppertrojan\r\nDetails\r\nName dorusio_win_v2.1.0.msi\r\nSize 141426176 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer,\r\nSecurity: 0, Code page: 1252, Number of Words: 2, Subject: Dorusio, Author: Dorusio Service Ltd, Name\r\nof Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer\r\ndatabase contains the logic and data required to install Dorusio., Title: Installation Database, Keywords:\r\nInstaller, MSI, Database, Number of Pages: 200\r\nMD5 [Redacted]\r\nSHA1 [Redacted]\r\nSHA256 [Redacted]\r\nSHA512 [Redacted]\r\nssdeep [Redacted]\r\nEntropy [Redacted]\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 2 of 11\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n[Redacted] Downloaded_By dorusio.com\r\n[Redacted] Contains 78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f\r\n[Redacted] Contains 21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831\r\nDescription\r\nThis Windows program from the Dorusio Wallet site is a Windows MSI Installer. This installer appears to be legitimate and\r\nwill install \"Dorusio.exe\" (78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f) in the “C:\\Program\r\nFiles (x86)\\Dorusio” folder. It will also install \"DorusioUpgrade.exe\"\r\n(21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831) in the “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\DorusioSupport” folder. Immediately after installation, the installer launches\r\n\"DorusioUpgrade.exe.\" During installation, a Dorusio folder containing the \"Dorusio.exe\" application is added to the start\r\nmenu.\r\nScreenshots\r\nFigure 1 - Screenshot of the Dorusio Wallet installation.\r\ndorusio.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ndorusio.com/dorusio_update.php\r\nWhois\r\nWhois for dorusio.com had the following information:\r\nRegistrar: NAMECHEAP INC\r\nCreation Date: 2020-03-30\r\nRegistrar Registration Expiration Date: 2021-03-30\r\nRelationships\r\ndorusio.com Connected_From dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61\r\ndorusio.com Downloaded [Redacted]\r\ndorusio.com Downloaded [Redacted]\r\nDescription\r\nThe domain \"dorusio.com\" had a legitimately signed Sectigo SSL certificate, which was “Domain Control Validated” similar\r\nto the domain certificates for previous AppleJeus domain certificates. Investigation revealed the point of contact listed for\r\nverification was support[@]dorusio.com. No other contact information was available as the administrative or technical\r\ncontact for the domain.\r\nThe domain is registered with NameCheap at the IP address 198.54.115.51 with ASN 22612. This IP is on the same ASN as\r\nthe AppleJeus version 5 \"CoinGoTrade\" IP address.\r\nScreenshots\r\nFigure 2 - Screenshot of the Dorusio site.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 3 of 11\n\nFigure 3 - Screenshot of the Dorusio download page.\r\n78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f\r\nTags\r\ntrojan\r\nDetails\r\nName Dorusio.exe\r\nSize 97682432 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 6c36c8efe2ec2b12f343537d214f45e8\r\nSHA1 69eb27395e8f23b592547b69fbaf19ad03d6a89a\r\nSHA256 78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f\r\nSHA512 e9e72322983315d7a99e104b0a36e6301b7c78b3e93fc33c03e2e74ea1d5423b852a23a87a8ecaadf33f73ceb03b306d953b197a13542ae43\r\nssdeep 1572864:odJvugr82jf19dUM/1T8+1VJRukUhkmG:odhg6Pm\r\nEntropy 6.674758\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\n97 1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6\r\nPE Metadata\r\nCompile Date 2019-12-16 00:00:00-05:00\r\nImport Hash bb1d46df79ee2045d0bc2529cf6c7458\r\nCompany Name BitPay\r\nFile Description Dorusio\r\nInternal Name Dorusio\r\nLegal Copyright Copyright © 2020 BitPay\r\nProduct Name Dorusio\r\nProduct Version 2.1.0.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf62420692d3492b34a0696beb92d52dc header 1024 2.991122\r\n36430f041d87935dcb34adde2e7d625d .text 78234112 6.471421\r\nee7e02e8e2958ff79f25c8fd8b7d33e5 .rdata 15596032 6.376243\r\n65c59271f5c2bab26a7d0838e9f04bcf .data 262144 3.484705\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 4 of 11\n\nMD5 Name Raw Size Entropy\r\n00406f1d9355757d80cbf48242fdf344 .pdata 2768896 6.805097\r\n6a6a225bfe091e65d3f82654179fbc50 .00cfg 512 0.195869\r\n786f587a97128c401be15c90fe059b72 .rodata 6144 4.219562\r\n9efa43af7b1faae15ffbd428d0485819 .tls 512 0.136464\r\n60d3ea61d541c9be2e845d2787fb9574 CPADinfo 512 0.122276\r\nbf619eac0cdf3f68d496ea9344137e8b prot 512 0.000000\r\nfb5463e289f28642cc816a9010f32981 .rsrc 102912 4.766115\r\nfb3216031225fdb1902888e247009d0c .reloc 709120 5.476445\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n78b56a1385... Contained_Within [Redacted]\r\nDescription\r\nThis file is a 64-bit Windows executable contained within the Windows MSI Installer \"dorusio_win_v2.1.0.msi.\" When\r\nexecuted, \"Dorusio.exe\" loads a legitimate looking cryptocurrency wallet application with no signs of malicious activity.\r\nAside from the \"Dorusio\" logo and two new services, the wallet appears to be the same as the AppleJeus version 4 \"Kupay\r\nwallet.\"\r\nThis application appears to be a modification of the opensource cryptocurrency wallet Copay, which is distributed by Atlanta\r\nbased company BitPay. According to the website \"bitpay.com,\" “BitPay builds powerful, enterprise-grade tools for crypto\r\nacceptance and spending”.\r\nIn addition to application appearance being similar, a DNS request for \"bitpay.com\" is always sent out immediately after a\r\nDNS request for \"dorusio.com\" and the company listed for \"Dorusio\" is Bitpay.\r\nIn addition, the GitHub “Commit Hash” listed in the \"Dorusio\" application “638b2b1” is to a branch of Copay found at\r\nhxxps[:]//github.com/flean/copay-1.\r\nScreenshots\r\nFigure 4 - Screenshot of the Dorusio application.\r\nFigure 5 - Screenshot of the \"Dorusio.exe\" file information.\r\n21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831\r\nTags\r\ntrojan\r\nDetails\r\nName DorusioUpgrade.exe\r\nSize 115712 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 0f39312e8eb5702647664e9ae8502ceb\r\nSHA1 7e64fb8ec24361406ed685719d8dedc7920791d5\r\nSHA256 21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 5 of 11\n\nSHA512 3362ef6d9c24814972c9b59f2e0b57b2c3acdb4d1dd8cd5a240359bf73ae953116ef9b8d217a817ce985ca22b3bcfe01c1085b5e707a36e93\r\nssdeep 3072:LHOKVwaew2/vN5z3bwe+F6s3yvMBhKBrF:TjwaewcPz3Me+33UF\r\nEntropy 6.126094\r\nAntivirus\r\nAhnlab Trojan/Win64.FakeCoinTrader\r\nAvira TR/NukeSped.xmawj\r\nBitDefender Trojan.GenericKD.34182499\r\nCyren W64/Trojan.ACZK-7741\r\nESET a variant of Win64/NukeSped.DE trojan\r\nEmsisoft Trojan.GenericKD.34182499 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 00569b451 )\r\nLavasoft Trojan.GenericKD.34182499\r\nNetGate Trojan.Win32.Malware\r\nSymantec Trojan.Gen.MBT\r\nTACHYON Trojan/W64.APosT.115712.B\r\nVirusBlokAda Trojan.APosT\r\nZillya! Trojan.NukeSped.Win64.104\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-03-30 02:52:41-04:00\r\nImport Hash 565005404f00b7def4499142ade5e3dd\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7ad599057f9d62e659ad5265b6bf8c8e header 1024 2.724023\r\n7b2cea9046657ec66f103b9b3f53453d .text 65536 6.457037\r\n59a79bcabee5542c73040a87b4be2d4e .rdata 39936 5.085609\r\ndbf3b39f579f6cafbdf3960f0a87f5f9 .data 2560 1.851526\r\na6f84d98a061c4cd7874a78606fff84f .pdata 4096 4.924567\r\n9c5adf56a571e84dc0c7329a768be170 .gfids 512 1.326857\r\nc7e574f00528a7e39d594132f836e2ca .reloc 2048 4.763069\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 6 of 11\n\nRelationships\r\n21afaceee5... Contained_Within [Redacted]\r\nDescription\r\nThis file is a 64-bit Windows executable contained within the Windows MSI Installer \"dorusio_win_v2.1.0.msi.\" When\r\nexecuted, \"DorusioUpgrade.exe\" first installs itself as a service, which will automatically start when any user logs on. The\r\nservice is installed with a description of “Automatic Dorusio Upgrade.\"\r\nAfter installing the service, \"DorusioUpgrade.exe\" has similar behavior to the upgrade components of Kupay Wallet\r\n(AppleJeus variant 4) and CoinGoTrade (AppleJeus variant 5). On startup, \"DorusioUpgrade.exe\" allocates memory in order\r\nto later write a file. After allocating the memory and storing the hardcoded string “Latest” in a variable, the program\r\nattempts to open a network connection. The connection is named “Dorusio Wallet 2.1.0 (Check Update Windows)”, likely to\r\navoid suspicion from a user.\r\nSimilar to previous AppleJeus variants, \"DorusioUpgrade.exe\" collects some basic information from the system as well as a\r\ntimestamp and places them in hard-coded format strings. Specifically, the timestamp is placed into a format string\r\n“ver=%d\u0026timestamp=%lu” where ver is set as the 201000, possibly referring to the Dorusio Wallet version previously\r\nmentioned (Figure 5).\r\nThis basic information and hard-coded strings are sent via a POST to the command and control (C2)\r\n\"dorusio.com/dorusio_update.php.\" If the POST is successful (i.e. returns an HTTP response status code of 200) but fails\r\nany of multiple different checks, \"DorusioUpgrade.exe\" will sleep for two minutes and then regenerate the timestamp and\r\ncontact the C2 again.\r\nAfter receiving the payload from the C2, the program writes the payload to memory and executes the payload.\r\nThe payload could not be downloaded as the C2 server dorusio.com/dorusio_update.php is no longer accessible. In addition,\r\nthe sample was not identified in open source reporting for this sample.\r\nScreenshots\r\nFigure 6 - Screenshot of the format string and version.\r\n[Redacted]\r\nTags\r\ndroppertrojan\r\nDetails\r\nName dorusio_osx_v2.1.0.dmg\r\nSize [Redacted] bytes\r\nType zlib compressed data\r\nMD5 [Redacted]\r\nSHA1 [Redacted]\r\nSHA256 [Redacted]\r\nSHA512 [Redacted]\r\nssdeep [Redacted]\r\nEntropy [Redacted]\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 7 of 11\n\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n[Redacted] Downloaded_By dorusio.com\r\nDescription\r\nThis OSX program from the Dorusio Wallet site is an Apple DMG installer. The OSX program does not has a digital\r\nsignature and will warn the user of that before installation. As all previous versions of AppleJeus, the Dorusio Wallet\r\ninstaller appears to be legitimate, and installs both “Dorusio”\r\n(a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492) in the\r\n“/Applications/Dorusio.app/Contents/MacOS/” folder and a program named \"dorusio_upgrade\"\r\n(dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61) also in the\r\n“/Applications/Dorusio.app/Contents/MacOS/” folder. The installer contains a postinstall script (Figure 7).\r\nThe postinstall script is identical in functionality to the postinstall scripts from previous AppleJeus variants and is identical\r\nto the CoinGoTrade (version 5) postinstall script. The postinstall script creates a “DorusioDaemon” folder in the OSX\r\n“/Library/Application Support” folder and moves \"dorusio_upgrade\" to it. The “Application Support” folder contains both\r\nsystem and third-party support files which are necessary for program operation. Typically, the subfolders have names\r\nmatching those of the actual applications. At installation, Dorusio placed the plist file (com.dorusio.pkg.wallet.plist) in\r\n“/Library/LaunchDaemons/.\"\r\nAs the LaunchDaemon will not be run immediately after the plist file is moved, the postinstall script then launches the\r\ndorusio_upgrade program in the background.\r\nScreenshots\r\nFigure 7 - Screenshot of the postinstall script.\r\nFigure 8 - Screenshot of \"com.dorusio.pkg.wallet.plist.\"\r\na0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492\r\nTags\r\ntrojan\r\nDetails\r\nName Dorusio\r\nSize 186044 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|PIE\u003e\r\nMD5 4a43bafb4af0a038a7f430417bcc1b6e\r\nSHA1 438243575764a5e856951126674f72f20b2a0d6f\r\nSHA256 a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492\r\nSHA512 51d37b27f390bc7f124f2cb8efb2b9c940d7a0c21b0912d06634f7f6af46a35e3221d25945bcad4b39748699ba8a33b17c350a480560e5c5c\r\nssdeep 3072:RiD/8kxClwjnLFycZ+xzknUapR+Nghc1VeY1HhNGKBqzoJGUNKFsJuMuixQdf:RiDUSyQnLFycZ+a8yhUVeY1LngzofKFF\r\nEntropy 6.083001\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 8 of 11\n\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis OSX sample was contained within Apple DMG installer \"dorusio_osx_v2.1.0.dmg.\" Similar to the Windows version,\r\n\"Dorusio\" is likely a copy of Copay from BitPay and is almost identical to the AppleJeus variant 4 OSX \"Kupay\" program.\r\ndcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61\r\nTags\r\ntrojan\r\nDetails\r\nName dorusio_upgrade\r\nSize 33312 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|PIE\u003e\r\nMD5 d620c699a5b1828aca699b5aee77e5e6\r\nSHA1 e769a810389f931b748bbe80742c427126c063a4\r\nSHA256 dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61\r\nSHA512 7bd98454d2a3fdd9d541dd0547c1f6a690b02b24495ce58324dd6377730f85a22f217173e178253dd8def989106702e87f7fa57223dde011\r\nssdeep 192:fHck6do21hhIymPTzTQxkqMd+K2uk7DLOJ4eL:fHcNqghDmPTzTE\r\nEntropy 1.688205\r\nAntivirus\r\nESET a variant of OSX/NukeSped.F trojan\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\ndcb232409c... Connected_To dorusio.com\r\nDescription\r\nThis OSX sample was contained within Apple DMG installer \"dorusio_osx_v2.1.0.dmg.\" The program \"dorusio_upgrade\" is\r\nsimilar to AppleJeus variant 4 OSX sample \"kupay_upgrade\" and AppleJeus variant 5 OSX sample\r\n\"CoinGoTradeUpgradeDaemon.\"When executed, \"dorusio_upgrade\" immediately sleeps for five seconds then tests to see if\r\nthe hard-coded value stored in “isReady” is a 0 or a 1. If it is a 0, the program sleeps again, and if it is a 1, the function\r\n“CheckUpdate” is called. This function contains most of the logic functionality of the malware. \"CheckUpdate\" sends a\r\nPOST to the C2 hxxps[:]//dorusio.com/dorusio_update.php with a connection named “Dorusio Wallet 2.1.0 (Check Update\r\nOsx).\r\nJust as the Kupay and CoinGoTrade malware, the timestamp is placed into a format string “ver=%d\u0026timestamp=%ld”\r\nwhere ver is set as the 20100, possibly referring to the Dorusio Wallet version previously mentioned.\r\nIf the C2 server returns a file, it is decoded and written to /private/tmp/dorusio_update,\" with permissions by the command\r\n\"chmod 700\" (only the user can read, write, and execute). The stage2 (/private/tmp/dorusio_update) is then launched and the\r\nmalware dorusio_upgrade returns to sleeping and checking in with the C2.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 9 of 11\n\nThe payload could not be downloaded as the C2 server dorusio.com/dorusio_update.php is no longer accessible. In addition,\r\nthe sample was not identified in open source reporting for this sample.\r\nScreenshots\r\nFigure 9 - Screenshot of the C2 loaded into the variable.\r\nRelationship Summary\r\n[Redacted] Downloaded_By dorusio.com\r\n[Redacted] Contains 78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f\r\n[Redacted] Contains 21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831\r\ndorusio.com Connected_From dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61\r\ndorusio.com Downloaded [Redacted]\r\ndorusio.com Downloaded [Redacted]\r\n78b56a1385... Contained_Within [Redacted]\r\n21afaceee5... Contained_Within [Redacted]\r\n[Redacted] Downloaded_By dorusio.com\r\ndcb232409c... Connected_To dorusio.com\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 10 of 11\n\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f"
	],
	"report_names": [
		"ar21-048f"
	],
	"threat_actors": [],
	"ts_created_at": 1775791290,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bde4ec0468f38d92ab5b348511c98675d1c0ec92.pdf",
		"text": "https://archive.orkl.eu/bde4ec0468f38d92ab5b348511c98675d1c0ec92.txt",
		"img": "https://archive.orkl.eu/bde4ec0468f38d92ab5b348511c98675d1c0ec92.jpg"
	}
}