North Korean Lazarus is targeting organizations in the cryptocurrency and blockchain industries

The attackers use social engineering to trick employees of cryptocurrency companies into downloading and running malicious Windows and macOS cryptocurrency apps.

CISA, the FBI, and the US Treasury Department warned today that the North Korean Lazarus hacking group is targeting organizations in the cryptocurrency and blockchain industries with trojanized cryptocurrency applications.

Who and what is Lazarus Group ?

Lazarus Group (also known by other monikers such as Guardians of Peace or Who is Team) is a cybercrime group made up of an unknown number of individuals run by the North Korean state. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include HIDDEN COBRA (used by the United States Intelligence Community to refer to malicious cyber activity by the North Korean government in general) and Zinc (by Microsoft).

The Lazarus Group has strong links to North Korea.  The United States Federal Bureau of Investigation says that the Lazarus Group is a North Korean "state-sponsored hacking organization". According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

From Wikipedia

The Lazarus operators then use these trojanized tools to gain access to the targets' computers, spread malware throughout their networks, and steal private keys that allow initiating fraudulent blockchain transactions and stealing the victims' crypto assets from their wallets.

"Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms," a joint advisory published on Monday reads.

"The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as TraderTraitor."

The trojanized TraderTraitor applications are Electron-based and cross-platform utilities developed using JavaScript and the Node.js runtime environment.

TraderTraitor apps are almost always pushed via websites featuring modern design advertising the fake crypto apps' alleged features. 

"Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads," the federal agencies added.

Among the malicious TraderTraitor cryptocurrency apps used in these campaigns, the joint advisory highlights:

• DAFOM: a "cryptocurrency portfolio application" (macOS)
• TokenAIS: claims to help "build a portfolio of AI-based trading" for cryptocurrencies (macOS)
• CryptAIS: claims to help "build a portfolio of AI-based trading" (macOS)
• AlticGO: claims to offer live cryptocurrency prices and price predictions (Windows)
• Esilet: claims to offer live cryptocurrency prices and price predictions (macOS)
• CreAI Deck: claims to be a platform for "artificial intelligence and deep learning" (Windows and macOS)

The list of apps trojanized using AppleJeus includes Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.

VHD ransomware is deployed by Horn Korean cybercriminal group Lazarus, as discovered by Kaspersky research team