A joint cybersecurity advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department is warning about North Korea’s Lazarus APT targeting blockchain companies.
The advisory says Lazarus advanced persistent threat (APT) group targets cryptocurrency companies with trojanized Windows and macOS cryptocurrency applications.
The malicious apps steal private keys and exploit other security vulnerabilities to execute subsequent attacks and fraudulent transactions.
U.S. authorities linked Lazarus to Ronin’s $625 million worth of Ethereum and USDC theft. North Korean hackers have stolen at least $1.7 billion in cryptocurrency in the past few years.
Lazarus APT targets employees of blockchain companies with fake lucrative job offers
Lazarus APT uses various communication platforms to send a large number of spear-phishing messages to employees of cryptocurrency companies. It usually targets system administrators, software developers, or IT operations (DevOps).
“The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor.’ The campaign closely resembles the ‘Operation Dream Job’ detailed by an Israeli cybersecurity firm.
According to CISA, the Lazarus campaign distributes apps developed in JavaScript programming language targeting the Node.js runtime environment using the cross-platform Electron framework. The apps are forked from various open-source cryptocurrency projects. Apple revoked the developer certificates used to sign apps targeting the macOS ecosystem.
“In order to increase the likelihood of success, attackers target users across both mobile devices and cloud platforms,” Hank Schless, Senior Manager, Security Solutions at Lookout, said. “For example, at Lookout, we discovered almost 200 malicious cryptocurrency apps on the Google Play Store. Most of these applications advertised themselves as mining services in order to entice users to download them.”
CISA discovered that Lazarus APT deploys various TradeTraitor variants such as Dafom, TokenAIS, CryptAIS, CreAI Deck, AlticGO, and Esilet.
They promise various crypto-related services such as real-time price prediction, portfolio building, AI-based trading, artificial intelligence, and deep learning.
Lazarus APT advertises the trojans through websites with modern designs, perhaps to convince victims of their usability.
“This campaign combines multiple popular trends into an attack,” Tim Erlin, VP of Strategy at Tripwire, said. “The alert from CISA describes a spear-phishing campaign that leverages the hot job market to entice users into downloading malicious cryptocurrency software.”
The threat group casts a wide net targeting all types of blockchain companies. According to the joint advisory, Lazarus APT targets cryptocurrency trading companies, decentralized finance (DeFi) platforms, play-to-earn cryptocurrency video games, cryptocurrency venture capital firms, and owners of significant cryptocurrency assets or non-fungible tokens (NFTs).
“Non-fungible tokens (NFTs) have been in existence since 2014; however, perhaps entered the cultural mainstream in 2021. The hype surrounding NFTs will, however, invariably coincide with interest from cyber threat actors,” noted Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows.
How to protect blockchain companies from Lazarus APT
U.S. agencies published a comprehensive list of tactics, techniques and procedures (TTPs) and indicators of compromise (IoC) associated with Lazarus APT. They advised blockchain companies to apply various mitigations to minimize Lazarus APT’s threat to the cryptocurrency industry.
According to CISA, blockchain companies should implement security strategies such as least access models and defense-in-depth.
Schless said that blockchain companies should prevent their employees from becoming launchpads for crypto-heist attacks.
“Crypto platform providers need to ensure that their employees are protected and don’t become conduits for cybercriminals to make their way into the infrastructure,” Schless continued. “Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal a backstage pass to the company’s infrastructure.”
According to John Bambenek, Principal Threat Hunter at Netenrich, the North Korean threat will persist for the foreseeable future.
“North Korea has been focused on cryptocurrency threats for years because they are a highly-sanctioned country, and this lets them acquire assets they can use to further their governmental objectives,” Bambenek said. “This will continue until North Korea becomes a respectable member of the international community or the sweet meteor of death finally comes and ends all life on earth. The latter is the more accurate scenario.”