Lazarus hackers are using malicious cryptocurrency apps, FBI warns

North Korea
(Image credit: Etereuti / Pixabay)

People working in cryptocurrency businesses are being targeted by Lazarus, a well-known threat actor with strong ties to the government of North Korea, law enforcement groups have warned.

The CISA, the FBI, and the US Treasury Department have banded together to issue a warning to firms in the cryptocurrency industry, urging them to be on their guard.

According to the warning, Lazarus is looking to infect endpoints in crypto firms with trojans, in order to try and drain them of their funds.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Multiple fake apps being distributed

As usual, the attacks start by threat actors assuming the identity of someone close, or of interest, to the victim.

“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms," it says in the warning.

"The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as TraderTraitor."

TraderTraitor, it was said, is an Electron-based, cross-platform utility built on JavaScript and the Node.js runtime environment. Depending on the device it targets, TraderTraitor can carry different variants of a Remote Access Trojan (RAT) called Manuscrypt.

"Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads," the federal agencies added.

There are multiple apps that are being referred to, by the security agencies, as TraderTraitor: DAFOM (cryptocurrency portfolio application for macOS), TokenAIS (portfolio builder for AI-based crypto trading for macOS), CryptAIS (portfolio builder for AI-based crypto trading for macOS), AlticGO (crypto price tracker and predictor for Windows), Esilet (crypto price tracker and predictor for macOS), and CreAI Deck (AI and deep learning platform for Windows and macOS).

Crypto companies are under a constant barrage of cyberattacks. Only recently, a flaw in the operations of Beanstalk Farms, a stablecoin protocol, has allowed an unknown threat actor to siphon $182 million from the network.

Before that, hundreds of millions of dollars in cryptocurrency were stolen after the Ronin Network, which provides the blockchain "bridge" that powers NFT game Axie Infinity, was compromised.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.