VERY IMPORTANT

A technical dive into a significant attack campaign that happened in the second week of May. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a DLL double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment. The abuse of the Apple push notification executable,APSDaemon.exe, is certainly not new. Over the course of more than a year, adversaries have deployed a legitimate and signed copy of the application together with a malicious AppleVersions.dll that is soon loaded by the daemon. In most cases, the deployment was part of a second stage of an attack and rarely have been seen as part of an infiltration stage.