Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
Threat Landscape
Vulnerabilities

North Korea’s state-sponsored APT TraderTraitor targets blockchain technology, cryptocurrency industry

April 19, 2022
North Korea's state-sponsored APT TraderTraitor targets blockchain technology, cryptocurrency industry

U.S. agencies warned critical infrastructure and financial sector organizations in the blockchain technology and cryptocurrency industry of potential cyber threats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group, identified as ‘TraderTraitor’ by the U.S. government since at least 2020. The group is said to be commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.

The intrusions begin with a large number of spear phishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury), wrote in a joint cybersecurity advisory. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor,’” the advisory added.

In light of the TraderTraitor activity, critical infrastructure and financial sector organizations have been asked to mitigate cyber threats to the blockchain technology and cryptocurrency industry by patching all systems, prioritizing patching known exploited vulnerabilities, training users to recognize and report phishing attempts, and adopting multi-factor authentication. 

The advisory said that the current activity “involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or MacOS operating systems. The cyber hackers then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions,” it added.

The U.S. government has identified a group of North Korean state-sponsored malicious hackers using tactics similar to the previously identified Lazarus Group, which used AppleJeus trojanized cryptocurrency applications targeting individuals and companies. The attack surface included cryptocurrency exchanges and financial services companies through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. 

“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency,” the advisory said. These hackers will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime, it added.

The U.S. government has also previously published advisories about North Korean state-sponsored cyber hackers stealing money from banks using custom malware. Last month, researchers at Cisco Talos observed cyber attackers targeting Turkey and other Asian countries that they believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. The hackers conduct campaigns against various industries, including national and local governments and ministries, universities and private entities, such as telecommunication providers.

Detailing the Tactics, Techniques and Procedures (TTPs) used in the attack, the advisory said that term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.

The advisory said that the JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function that purports to be an ‘update,’ with a name such as UpdateCheckSync(), that downloads and executes a malicious payload. The update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain. In recent variants, the server’s response is parsed as a JSON document with a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter (CTR) mode to decrypt the value, it added. 

The decrypted data is written as a file to the system’s temporary directory, as provided by the os.tmpdir() method of Node.js, and executed using the child_process.exec() method of Node.js, which spawns a shell as a child process of the current Electron application. The text ‘Update Finished’ is then logged to the shell for the user to see, the advisory added.

Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads, the advisory said. Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.

The Office of the Director of National Intelligence (ODNI) said in a report last month that North Korea possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the U.S.

Last week, Symantec disclosed that the North Korea-linked APT group, Lazarus, has been conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed ‘Operation Dream Job,’ initially observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations