Tuesday, November 12, 2024
HomeCyber AttackLazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Lazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Published on

Malware protection

The FBI, CISA, and the U.S. Department of Treasury have issued a joint statement about the cryptocurrency theft and the tactics used by the North Korean State-Sponsored APT hacker group since 2020.

This group is commonly known as the Lazarus group, APT 38, Stardust Chollima, and BlueNoroff.

Several organizations relating to cryptocurrency, blockchain, DeFi, Play-to-earn cryptocurrency video games, trading companies, venture capital funds, and valuable non-fungible token holders (NFTs) were targeted.

- Advertisement - SIEM as a Service

The attack vector was based on social engineering through various communication platforms and making the victims install trojans in their systems in the name of cryptocurrency applications.

Once the application is installed, the threat actors gain access to the victim’s environment and steal private keys or exploit security gaps. Following these, they also initiate fraudulent blockchain transactions. 

AppleJeus was one of the malware used by these North Korean hackers to steal cryptocurrency. Other malware used for stealing money from banks were

  • HIDDEN COBRA – FASTCash Campaign
  • FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

Technical Details

The U.S Government has noticed a group of North Korean State-Sponsored threat actors using the same methods and tactics that were used by the previous Lazarus group that was using AppleJeus malware.

The previous Lazarus group targeted individuals and companies related to cryptocurrency exchanges and other financial services. They distributed the malware by dissemination of cryptocurrency trading applications that had embedded trojans resulting in the theft of cryptocurrency. The report by CISA stated that,

As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.

Tactics, Techniques, and Procedures (TTP)

The attack was started by targeting employees working in cryptocurrency companies in a position like a system administrator or other development operations position.

A large number of spear-phishing messages were sent to the employees stating about a recruitment effort and to guide them to download cryptocurrency applications that contain the malware. This was referred to as “TradeTraitor” by the U.S. government.

The JS code that has the core functionalities is bundled as a Webpack. The code has a function that states to be an “Update” with the name “UpdateCheckSync()”. However, this function is responsible for downloading and executing the malicious payload.

This UpdateCheckSync() function initiates an HTTP POST request to a PHP script that is hosted on the TradeTraitor project’s domain. The request hits the endpoint at either /update/ or /oath/checkupdate.php .

In the recent versions, the response from the server is parsed as a JSON document with a key-value pair. This key is used as an AES 256 encryption key which is decrypted in Counter (CTR) mode or Cipher Block Chaining (CBC) mode.

The decrypted value is then written to a file and saved in the temporary directory. This is done with the help of os.tmpdir() method of Node.js. The file is then executed using the child_process.exec() which spawns a shell. The terminal is posted with a text “Update finished” to notify the user.

The payloads that were observed for macOS and Windows variants of Manuscrypt, a Remote Access Trojan (RAT). This trojan collects information and executes arbitrary commands.

It can also download additional payloads. After compromising the systems, activities by the threat actors are based upon the victim’s environment and are completed within a week’s time.

The CISA has published several Indicators of Compromise and Mitigation steps to prevent these hackers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...