The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies.
Calling the activity cluster TraderTraitor, the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the Web3.0 industry since at least 2020.
Targeted organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
The attack chains commence with the threat actor reaching out to victims via different communication platforms to lure them into downloading weaponized cryptocurrency apps for Windows and macOS, subsequently leveraging the access to propagate the malware across the network and conduct follow-on activities to steal private keys and initiate rogue blockchain transactions.
“Intrusions begin with a large number of spear-phishing messages sent to employees of cryptocurrency companies,” the advisory reads. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”
This is far from the first time the group has deployed custom malware to steal cryptocurrency. Other campaigns mounted by the Lazarus Group consist of Operation AppleJeus, SnatchCrypto, and, more recently, making use of trojanized DeFi wallet apps to backdoor Windows machines.
The TraderTraitor threat comprises a number of fake crypto apps that are based on open-source projects and claim to be cryptocurrency trading or price prediction software, only to deliver the Manuscrypt remote access trojan, a piece of malware previously tied to the group’s hacking campaigns against the cryptocurrency and mobile games industries.
The list of malicious apps is below –
- DAFOM (dafom[.]dev)
- TokenAIS (tokenais[.]com)
- CryptAIS (cryptais[.]com)
- AlticGO (alticgo[.]com)
- Esilet (esilet[.]com), and
- CreAI Deck (creaideck[.]com)
The disclosure comes less than a week after the Treasury Department attributed the cryptocurrency theft of Axie Infinity’s Ronin Network to the Lazarus Group, sanctioning the wallet address used to receive the stolen funds.
“North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets,” the agencies said.
“These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”