CISA, the FBI, and the US Treasury Department have recently issued a warning that firms in the cryptocurrency and blockchain industries are being targeted by the North Korean Lazarus hacking gang. It seems that the threat actors are using trojanized cryptocurrency applications in this wave of cyberattacks.
The hackers utilize social engineering to persuade employees of crypto firms to download and execute malicious cryptocurrency apps for Windows and macOS.
More Details about the Lazarus Operation
What the Lazarus operators do with these trojanized tools is to obtain access to the victims’ computers, distribute malware throughout their networks, and steal private keys that allow them to conduct fraudulent blockchain transactions and steal wallet crypto assets.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). (…) Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as “TraderTraitor.”
Being cross-platform Electron utilities, for the creation of the trojanized TraderTraitor apps JavaScript and the Node.js runtime environment were used.
TraderTraitor apps are almost usually distributed through modern-looking websites that tout the supposed advantages of the bogus crypto apps.
Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads (see North Korean Remote Access Tool: COPPERHEDGE). Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.
What TraderTraitor Crypto Apps Have Been Used by the Threat Actors?
The following are some of the malicious TraderTraitor bitcoin apps that have been utilized in these attacks, according to the joint advisory:
- DAFOM which stands for a crypto portfolio apps (macOS);
- TokenAIS implies being able to help cryptocurrency traders “create a portfolio of AI-based trading” (macOS);
- CryptAIS that pretends to own the capacity to “help build a portfolio of AI-based trading” (macOS);
- AlticGO claims to provide real-time cryptocurrency pricing and forecasts (Windows);
- Esilet pretends to provide real-time cryptocurrency pricing and forecasts too (macOS);
- CreAI Deck is a platform for “artificial intelligence and deep learning,” according to the company (Windows and macOS).
Lazarus: Not at Their First Campaigns
According to BleepingComputer, last year, the FBI, CISA, and the US Department of Treasury shared intelligence about harmful and phony crypto-trading apps laced with AppleJeus malware, which Lazarus used to steal cryptocurrency from individuals and businesses all around the world.
Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale were among the apps trojanized by AppleJeus.
Three Lazarus Group members were charged by the US Justice Department for stealing $1.3 billion in cash and cryptocurrencies from banks, the entertainment industry, cryptocurrency startups, and other organizations around the world.
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!