CISA, the FBI and the US Treasury Department warned today that North Korean hacking group Lazarus is targeting cryptocurrency and blockchain industry organizations with trojanized cryptocurrency applications.
The attackers use social engineering to trick employees of cryptocurrency companies into downloading and running malicious Windows and macOS cryptocurrency apps.
The Lazarus operators then use these trojanized tools to gain access to the targets’ computers, spread malware through their networks and steal private keys that can initiate fraudulent blockchain transactions and extract the victims’ crypto assets from their wallets. be stolen.
“Breachs start with a large number of spearphishing messages sent to employees of cryptocurrency companies — often working in systems administration or software development/IT operations (DevOps) — on various communication platforms,” reads a joint advisory published Monday.
“The messages often mimic a recruiting effort and offer high-paying jobs to entice recipients to download malware-laced cryptocurrency applications, which the US government calls TraderTraitor.”
The trojanized TraderTraitor applications are Electron-based and cross-platform utilities developed using JavaScript and the Node.js runtime environment.
TraderTraitor apps are almost always pushed through modern design websites that promote the alleged features of the fake crypto apps.
CryptAIS website (CISA)
“Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), which collects system information and has the ability to execute arbitrary commands and download additional payloads,” the federal agencies added. .
Among the malicious TraderTraitor cryptocurrency apps used in these campaigns, the joint advice highlights:
DAFOM: A “cryptocurrency portfolio application” (macOS) TokenAIS: Claims to help “build a portfolio of AI-based trading” for cryptocurrencies (macOS) CryptAIS: Claims to help “build a portfolio of AI-based trading” (macOS) AlticGO : Claims to provide live cryptocurrency prices and price predictions (Windows) Esilet: Claims to offer live cryptocurrency prices and price predictions (macOS) CreAI Deck: Claims to be a platform for “artificial intelligence and deep learning” ( Windows and macOS)
Last year, the FBI, CISA and the US Treasury Department also shared information about malicious and bogus crypto trading applications injected with AppleJeus malware used by Lazarus to steal cryptocurrency from individuals and companies around the world.
The list of apps that have been trojaned with AppleJeus includes Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.
The US Department of Justice has indicted three members of the Lazarus Group for stealing $1.3 billion in cash and cryptocurrency in multiple attacks on banks, the entertainment industry, cryptocurrency companies and other organizations around the world.
In 2019, a confidential report from the United Nations also said North Korean operators have stolen an estimated $2 billion in at least 35 cyber attacks on banks and crypto exchanges in more than a dozen countries.
In the same year, the US Treasury Department approved three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) to pass on to the North Korean government the financial assets they stole in cyber-attacks.
This post US Warns Against Lazarus Hackers Using Malicious Cryptocurrency Apps
was original published at “https://www.bleepingcomputer.com/news/security/us-warns-of-lazarus-hackers-using-malicious-cryptocurrency-apps/”