LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users

LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users

Lazarus APT group is backed by the North Korean government and is currently targeting organizations and unsuspecting users in the cryptocurrency and blockchain industry with trojanized crypto applications.

The Federal Bureau of Investigation (FBI), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department jointly released an advisory to warn cryptocurrency and blockchain organizations about a notorious phishing campaign by the Lazarus APT hacking group.

The key targets of hackers are cryptocurrency exchanges, investors, trading firms, and blockchain organizations. North Korea reportedly sponsors this currently active campaign to gain access to systems to facilitate fake trades, steal funds, data, and valuable keys, and install malware.

It is worth noting that in the last couple of years, North Korean hackers have been accused of stealing over $1.7 billion worth of funds from different cryptocurrencies. Experts believe North Korean hackers are keeping the stolen funds as a long-term investment.

Campaign Details

The attack begins with hackers sending a large number of phishing emails to their targeted company’s employees. They are lured by offering better job opportunities- a tactic frequently used by the Lazarus APT. The recipients are urged to click on applications that appear to be cryptocurrency trading and price estimation tools for Windows and macOS.

However, according to CISA’s advisory, they are actually loaded with TraderTraitor malware. When the payload is opened, hackers can execute commands and send additional malware to gain access to the victim’s computer and company network.

Some Applications trojanized with TraderTraitor include TokenAIS, CryptAIS, and Esilet. These apps are cross-platform, Electron-based platforms utilities developed with the Node.js and JavaScript runtime environment.

Attack Tactics

Lazarus APT has used various tactics to make this campaign successful. Such as spear phishing and social engineering. They also install a set of malicious apps containing TraderTraitor malware, which can steal system data/information, install a remote access trojan, and conduct other malicious activities.

According to CISA, the Lazarus group uses cryptocurrency applications modified with the AppleJeus backdoor to maintain a foothold on targeted devices.

About Lazarus

The Lazarus Group is arguably one of the most active and dangerous Advanced Persistent Threat (APT) groups associated with high-profile campaigns and theft of massive sums of cryptocurrency and other funds.

The group is backed by the North Korean government’s Reconnaissance General Bureau (RGB). The US security agencies have been investigating the group’s attack tactics and techniques for many years.

Last week, the US Department of State announced up to $5 million in reward for tips that could help disrupt North Korean hackers’ money laundering operations and put sanctions on the Lazarus Group for its involvement in the theft of $650 million from the Ronin network. The network connects the Ethereum blockchain with the Axie Infinity video game.

More Lazarus News on

  1. US-Cert warns of North Korean BLINDINGCAN malware
  2. Lazarus hackers suspected of targeting Indian space agency
  3. Lazarus hackers use Magecart attack to steal card data from EU, US sites
  4. Lazarus Group is back, targeting Banks & Bitcoin users with a phishing scam
  5. Elite North Koreans aren’t opposed to exploiting the internet for financial gain
Related Posts