Kupay Wallet

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Kupay Wallet is a malicious software (malware) identified as part of the AppleJeus Version 4 malware family, developed and deployed by North Korean hackers, referred to by the U.S. government as HIDDEN COBRA. The malware was developed between March 2018 and September 2020, alongside other malicious cryptocurrency applications like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale. These applications provided the hackers with backdoor access into the victims' computers. Kupay Wallet, in particular, shares similar functionalities with the macOS X stage 2 payloads from CoinGoTrade and other applications within this malware family. The Kupay Wallet malware operates by exploiting conflicts that arise when users attempt to install it alongside other applications from the AppleJeus family, such as CoinGoTrade or Dorusio. If these applications are already installed on a system, the user will encounter installation conflicts when attempting to install Kupay Wallet. Aside from minor differences such as logos and services, Kupay Wallet is largely identical to the Dorusio wallet. A detailed analysis of the Kupay Wallet application revealed that it communicates with its command and control (C2) server through an update check function ("CheckUpdate") embedded in the "kupay_upgrade" program. This function sends a POST request to the C2 server, establishing a connection named "Kupay Wallet 9.0.1 (Check Update Osx)" - a technique classified under Web Protocols [T1071.001 https://attack.mitre.org/versions/v8/techniques/T1071/001] in the MITRE ATT&CK framework. This indicates that the malware's primary functionality involves maintaining persistent communication with its C2 server for continuous exploitation of infected systems.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dorusio
1
Dorusio is a malware application that is part of the "AppleJeus" family, a group of malicious cryptocurrency applications developed by North Korean hackers, also known as HIDDEN COBRA. The Dorusio program, which mimics an open-source cryptocurrency wallet application, was developed alongside other m
Coingotrade
1
CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o
AppleJeus
1
AppleJeus is a notorious malware attributed to the North Korean APT Lazarus Group, designed primarily to steal cryptocurrency. This malicious software has been a key instrument in North Korea's financial theft operations, with threat groups pilfering $2.3 billion USD worth of crypto assets between M
Celas Trade Pro
1
Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These
Ants2whale
1
Ants2Whale is a malicious software (malware) identified as the seventh version of AppleJeus, a notorious family of North Korean malware targeting cryptocurrency operations. First discovered in late 2020, Ants2Whale operates similarly to its predecessors, with its main function being to provide hacke
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Korean
Backdoor
t1583.001
Malware
Windows
Celas Trade ...
Bot
t1071.001
Macos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HIDDEN COBRAUnspecified
1
Hidden Cobra, also known as the Lazarus Group and Sapphire Sleet, is a North Korean cyberespionage group that has been active since at least 2009. The U.S. Government uses the term Hidden Cobra to refer to malicious cyber activities by the North Korean government, with the BeagleBoyz representing a
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kupay Wallet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme
MITRE
a year ago
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | CISA