The US Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting malicious activity associated with Lazarus Group, a well-known threat actor working on behalf of the North Korean government.
Since at least 2020, the group, also tracked as APT38, BlueNoroff, and Stardust Chollima, has been targeting organizations in the blockchain technology and cryptocurrency industry with trojanized cryptocurrency apps dubbed “TraderTraitor” in order to gain access to the victim’s computer, propagate malware across the victim’s network environment, steal private keys, or exploit other security issues.
“TraderTraitor” refers to a set of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are based on a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor is distributed via websites with modern design advertising the alleged features of the applications.
The attacks involve spearphishing messages disguised as a lucrative job offer sent to employees of cryptocurrency companies working in system administration or software development/IT operations (DevOps). Once opened, these messages deliver the Manuscript remote access trojan that collects system information and has the ability to execute arbitrary commands and download additional payloads.
“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” the security agency said.