Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware

For a detailed advisory, download the pdf file here

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) have issued a joint Cybersecurity Advisory(CSA) to make organizations in the blockchain technology and cryptocurrency industry aware of a cyber threat associated with cryptocurrency attacks and phishing campaign carried out by Lazarus Group, a North Korean state-sponsored advanced persistent threat (APT) group.

The initial attack begins with sending a thousands of phishing emails to individuals of the targeted firm. They are tempted by good job opportunities – a common tactic used by the Lazarus APT  to convince individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The trojanized applications include TokenAIS, CryptAIS, and Esilet is loaded with TraderTraitor malware. These apps are cross-platform, Electron-based platform utilities created with the Node.js and JavaScript runtime environments. When the payload is executed, the attacker gains access to the victim’s computer and company network by executing commands and sending additional malware.

The MITRE ATT&CK TTPs used by Lazarus are:

TA0001: Initial Access

TA0005: Defense Evasion

TA0002: Execution

TA0040: Impact

TA0004: Privilege Escalation

TA0006: Credential Access

TA0009: Collection

TA0003: Persistence

T1204: User Execution

T1553: Subvert Trust Controls

T1566: Phishing

T1566.002 Spear phishing Link

T1059: Command and Scripting Interpreter

T1059.007: Command and Scripting Interpreter: JavaScript

T1496: Resource Hijacking

T1134: Access Token Manipulation

T1110: Brute Force

T1140: Deobfuscate/Decode Files or Information

T1113: Screen Capture

T1543: Create or Modify System Process

T1486: Data Encrypted for Impact

Actor Details

Indicators of Compromise (IoCs)

References