Dorusio

Dorusio is a malware application that is part of the "AppleJeus" family, a group of malicious cryptocurrency applications developed by North Korean hackers, also known as HIDDEN COBRA. The Dorusio program, which mimics an open-source cryptocurrency wallet application, was developed alongside other malicious applications like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, Kupay Wallet, CoinGo Trade, CryptoNeuro Trader, and Ants2Whale from March 2018 to at least September 2020. It installs itself in the folder /Applications/Dorusio.app/Contents/MacOS/ on both Windows and macOS X systems, presenting itself as a fully functional, legitimate-looking wallet program. The cybersecurity community has identified significant threats posed by these programs to cryptocurrency operations, with Dorusio providing a backdoor into victims' computers. When installed, it communicates with a command-and-control (C2) server through a connection named "Dorusio Wallet 2.1.0 (Check Update Osx)", allowing for potential data theft and system disruption. Further details about this malware can be found in the MAR-10322463-6.v1 report on the U.S. CERT website. However, conflicts arise when multiple applications from the AppleJeus family are attempted to be installed on the same system. Specifically, if Dorusio, Kupay Wallet, or CoinGoTrade are installed concurrently, installation issues occur. Despite these conflicts and aside from the Dorusio logo and two new services, the Dorusio wallet appears very similar to the Kupay Wallet, further enhancing its deceptive nature.