AppleJeus
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
AppleJeus has sent data to its C2 server via |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.(Citation: CISA AppleJeus Feb 2021)(Citation: ObjectiveSee AppleJeus 2019) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
AppleJeus can install itself as a service.(Citation: CISA AppleJeus Feb 2021) |
| .004 | Create or Modify System Process: Launch Daemon |
AppleJeus has placed a plist file within the |
||
| Enterprise | T1546 | .016 | Event Triggered Execution: Installer Packages |
During AppleJeus's installation process, it uses `postinstall` scripts to extract a hidden plist from the application's `/Resources` folder and execute the `plist` file as a Launch Daemon with elevated permissions.(Citation: ObjectiveSee AppleJeus 2019) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
AppleJeus has added a leading |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
AppleJeus has deleted the MSI file after installation.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
AppleJeus has been distributed via spearphishing link.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
AppleJeus has used a valid digital signature from Sectigo to appear legitimate.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
AppleJeus has been installed via MSI installer.(Citation: CISA AppleJeus Feb 2021) |
| Enterprise | T1569 | .001 | System Services: Launchctl |
AppleJeus has loaded a plist file using the |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
AppleJeus's spearphishing links required user interaction to navigate to the malicious website.(Citation: CISA AppleJeus Feb 2021) |
| .002 | User Execution: Malicious File |
AppleJeus has required user execution of a malicious MSI installer.(Citation: CISA AppleJeus Feb 2021) |
||
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
AppleJeus has waited a specified time before downloading a second stage payload.(Citation: CISA AppleJeus Feb 2021) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |
(Citation: CISA AppleJeus Feb 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.