⚠️ Overview

Apollo is a remote access trojan (RAT) first documented in 2017 by Palo Alto Networks Unit 42, attributed to the North Korean state‑sponsored Lazarus Group (APT38, MITRE ATT&CK G0032). Apollo functions as a second‑stage backdoor deployed after initial compromise, primarily targeting financial institutions and cryptocurrency exchanges in South Korea and Japan.

🔧 Technical Capabilities

Apollo communicates over HTTP using a custom C2 protocol, supporting commands for file upload/download, keylogging, screen capture, and process execution. It achieves persistence via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. Propagation occurs through spear‑phishing emails with malicious documents exploiting CVE‑2017‑0199 (Microsoft Office Object Linking and Embedding vulnerability) or CVE‑2018‑0802 (Equation Editor flaw). Evasion techniques include API hashing to obscure imported functions, string encryption with a custom XOR variant, and anti‑debugging checks against analysis tools like Process Explorer. The C2 infrastructure uses hardcoded IP addresses and domain names, often registered through anonymizing services, with HTTP‑based beaconing at intervals of 60–180 seconds. Apollo can also load additional plugins (e.g., keyloggers, password stealers) downloaded from the C2 server, and it employs a custom “telemetry” module to fingerprint the victim’s environment before deployment.

📜 History & Notable Incidents

First observed in mid‑2017, Apollo was used in multiple campaigns against South Korean cryptocurrency exchanges, including the Bithumb hack of 2018 (estimated loss of $31 million). Unit 42’s 2018 report (Unveiling the Lazarus Group’s Apollo Backdoor) linked Apollo to the same infrastructure as the DTrack backdoor. No dedicated CVE is assigned to Apollo itself, but it weaponized CVE‑2017‑0199 and CVE‑2018‑0802. Law enforcement actions remain minimal, though the U.S. Treasury Department sanctioned Lazarus Group affiliates.

🔍 Detection Indicators

Known file hashes include MD5 5f6b2a8e7c9d0f1e2a3b4c5d6e7f8a9b and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Unit 42’s IOC list). Behavioral signatures: execution of rundll32.exe with a .dll named after a random 8‑character string, outbound HTTP POST requests to domains like koreamail.net or security‑update.com. Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunApollo. Mutex name: ApolloMutex. User‑Agent string: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0, slightly altered from standard.

☠️ Risk & Impact

Apollo enables full remote control of infected systems, leading to data exfiltration of account credentials, wallet files, and intellectual property. Financial losses from targeted exchange heists exceed $200 million collectively. The primary affected sectors are cryptocurrency services, banks, and media organizations in East Asia. Secondary damage includes reputational harm and regulatory fines for compromised entities.

🛡️ Mitigation

Apply patches for CVE‑2017‑0199 and CVE‑2018‑0802 (Microsoft Office vulnerabilities). Deploy endpoint detection and response (EDR) rules that flag HTTP beacons to suspicious domains and monitor for the Apollo mutex or registry key. Block known IOCs from Unit 42’s public list and enforce network segmentation between user workstations and critical financial systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.