The U.S. Cybersecurity and Infrastructure Security Agency
(CISA), along with the Federal Bureau of Investigation (FBI) and
the Treasury Department, warned of a new set of ongoing cyber
attacks carried out by the Lazarus Group targeting blockchain
companies.
Calling the activity cluster TraderTraitor[1], the infiltrations
involve the North Korean state-sponsored advanced persistent threat
(APT) actor striking entities operating in the Web3.0 industry
since at least 2020.
Targeted organizations include cryptocurrency exchanges,
decentralized finance (DeFi) protocols, play-to-earn cryptocurrency
video games, cryptocurrency trading companies, venture capital
funds investing in cryptocurrency, and individual holders of large
amounts of cryptocurrency or valuable non-fungible tokens
(NFTs).
The attack chains commence with the threat actor reaching out to
victims via different communication platforms to lure them into
downloading weaponized cryptocurrency apps for Windows and macOS,
subsequently leveraging the access to propagate the malware across
the network and conduct follow-on activities to steal private keys
and initiate rogue blockchain transactions.
“Intrusions begin with a large number of spear-phishing messages
sent to employees of cryptocurrency companies,” the advisory reads.
“The messages often mimic a recruitment effort and offer
high-paying jobs to entice the recipients to download malware-laced
cryptocurrency applications.”
This is far from the first time the group has deployed custom
malware to steal cryptocurrency. Other campaigns mounted by the
Lazarus Group consist of Operation AppleJeus[2], SnatchCrypto[3], and, more recently,
making use of trojanized DeFi wallet apps[4] to backdoor Windows
machines.
The TraderTraitor threat comprises a number of fake crypto apps
that are based on open-source projects and claim to be
cryptocurrency trading or price prediction software, only to
deliver the Manuscrypt[5]
remote access trojan, a piece of malware previously tied to the
group’s hacking campaigns against the cryptocurrency and mobile
games industries.
The list of malicious apps is below –
- DAFOM (dafom[.]dev)
- TokenAIS (tokenais[.]com)
- CryptAIS (cryptais[.]com)
- AlticGO (alticgo[.]com)
- Esilet (esilet[.]com), and
- CreAI Deck (creaideck[.]com)
The disclosure comes less than a week after the Treasury
Department attributed[6]
the cryptocurrency theft of Axie Infinity’s Ronin Network to the
Lazarus Group, sanctioning the wallet address used to receive the
stolen funds.
“North Korean state-sponsored cyber actors use[7] a full array of tactics
and techniques to exploit computer networks of interest, acquire
sensitive cryptocurrency-intellectual property, and gain financial
assets,” the agencies said.
“These actors will likely continue exploiting vulnerabilities of
cryptocurrency technology firms, gaming companies, and exchanges to
generate and launder funds to support the North Korean regime.”
References
- ^
TraderTraitor
(www.cisa.gov) - ^
Operation AppleJeus
(thehackernews.com) - ^
SnatchCrypto
(thehackernews.com) - ^
trojanized DeFi wallet apps
(thehackernews.com) - ^
Manuscrypt
(thehackernews.com) - ^
attributed
(thehackernews.com) - ^
use
(www.us-cert.cisa.gov)
Read more https://thehackernews.com/2022/04/fbi-us-treasury-and-cisa-warns-of-north.html