A new advisoryissued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department (Treasury), highlights the cyberthreats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020.
The Lazarus Group
APTs are defined as prolonged attacks on specific targets that aim to compromise their systems, and to gain information from or about them. The Lazarus Group, aka APT38, is commonly believed to be run by the North Korean government. It is thought to conduct financial cybercimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions.
These days, financial cybercrimes often involve Bitcoin and other cryptocurrencies. The CISA advisory warns that:
The US government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens
Since 2018, one of the Lazarus Group's tactics has been to disguse AppleJeusmalware as cryptocurrency trading platforms for both Windows and Mac. CISA warns that it uses these trojanized applications to gain access to victims' computers, to spread other malware, and steal private keys or to exploit other security gaps. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions.
Victims are lured into downloading the malware with a variety of social engineering tactics, including spearphishing.
Spearphishing is a targeted form of phishing that's directed at and addresed to specific individuals. It uses personalization to convince victims that they are reading and responding to legitimate messages.
CISA reports that the Lazarus Group has been sending spearphishing messages to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps) roles—using a variety of communication platforms and social media. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malicious "TraderTraitor" malware disguised as cryptocurrency trading or price prediction tools.
TraderTraitor describes a series of malicious Electron applications that can download and execute malicious payloads, such as remote access trojans (RAT).
The advisorycontains a lot of specific IOCs for the most recent campaigns, but if we have learned anything from the past behavior of the Lazarus APT group it is that they will change man of them as soon as their current campaigns are outed. It is important therefore to apply the basic mitigation methods to counter this type of attacks:
- Use patch managementto stay on top of those security updates!
- Educate userson social engineering attacks like spearphishing.
- Enforce credential requirementsand use multi-factor authentication.
- Use endpoint protectionto detect exploits and stop malware.
- Watch out for third-party downloads—especially cryptocurrency applications.
- Create an incident response planso you know how to respond to cyber-intrusions.
Stay safe, everyone!