Kupay Wallet

Kupay Wallet is a malicious software (malware) identified as part of the AppleJeus Version 4 malware family, developed and deployed by North Korean hackers, referred to by the U.S. government as HIDDEN COBRA. The malware was developed between March 2018 and September 2020, alongside other malicious cryptocurrency applications like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale. These applications provided the hackers with backdoor access into the victims' computers. Kupay Wallet, in particular, shares similar functionalities with the macOS X stage 2 payloads from CoinGoTrade and other applications within this malware family. The Kupay Wallet malware operates by exploiting conflicts that arise when users attempt to install it alongside other applications from the AppleJeus family, such as CoinGoTrade or Dorusio. If these applications are already installed on a system, the user will encounter installation conflicts when attempting to install Kupay Wallet. Aside from minor differences such as logos and services, Kupay Wallet is largely identical to the Dorusio wallet. A detailed analysis of the Kupay Wallet application revealed that it communicates with its command and control (C2) server through an update check function ("CheckUpdate") embedded in the "kupay_upgrade" program. This function sends a POST request to the C2 server, establishing a connection named "Kupay Wallet 9.0.1 (Check Update Osx)" - a technique classified under Web Protocols [T1071.001 https://attack.mitre.org/versions/v8/techniques/T1071/001] in the MITRE ATT&CK framework. This indicates that the malware's primary functionality involves maintaining persistent communication with its C2 server for continuous exploitation of infected systems.