The prolific and rapacious Lazarus North Korean APT group is running an ongoing campaign targeting cryptocurrency investors, exchanges, trading companies, and blockchain organizations to gain access to valuable keys and other information, install malware, and steal funds and other data.
The campaign uses a number of tactics, including spear phishing, social engineering, and the installation of a new set of malicious applications called TraderTraitor that steal system data, install a remote access trojan, and perform other malicious activities. The Cybersecurity and Infrastructure Security Agency, FBI, and Department of Treasury issued a new advisory about the Lazarus Group campaign Tuesday and warned that the group is using cryptocurrency apps modified with the AppleJeus backdoor to gain a foothold on target machines.
“The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency,” the advisory says.
“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”
The Lazarus Group is one of the more aggressive and active APT groups and has been associated with some large thefts of cryptocurrency and other funds in the last few years. The group is associated with the North Korean government and the U.S. government and security research teams have been investigating and exposing the Lazarus Group’s malware, techniques, and tactics for many years. CISA has exposed details of the group’s malware arsenal in the past and last week the Department of State announced a reward of up to $5 million for information that helps disrupt the money laundering operations used to support malicious cyber activity by North Korean actors. U.S. officials also tied the Lazarus Group and APT38, another North Korean state-sponsored group, to a massive cryptocurrency heist last month.
“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” said the FBI in a statement last week. “The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime.”
The recent TraderTraitor campaign uses several malicious tools, including several pieces of malware targeting macOS that were signed with Apple developer certificates. All of those associated certificates have been revoked. There are also several Windows-based tools used in the attacks, one of which masquerades as a cryptocurrency pricing and prediction tool. The CISA advisory warns that the crypto-focused activity from Lazarus Group is unlikely to abate anytime soon.
“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” the advisory says.