{"id":7897,"date":"2022-07-19T14:29:54","date_gmt":"2022-07-19T21:29:54","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7897"},"modified":"2022-07-12T14:41:13","modified_gmt":"2022-07-12T21:41:13","slug":"lazarus-group-targets-financial-services-and-cryptocurrency-sector","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/lazarus-group-targets-financial-services-and-cryptocurrency-sector\/","title":{"rendered":"Lazarus Group Targets Financial Services and Cryptocurrency Sector"},"content":{"rendered":"

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) issued another joint Cybersecurity Advisory (CSA) focused on the cyber threat associated with cryptocurrency thefts and tactics. This advisory is specific to those tactics and techniques used by a North Korean state-sponsored advanced persistent threat (APT) group since 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.\u00a0<\/span><\/p>\n

The advisory has noted that North Korean cyber actors are targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).\u00a0<\/span><\/p>\n

The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim\u2019s computer, propagate malware across the victim\u2019s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.<\/span><\/p>\n

Intrusions begin with numerous spearphishing messages sent to employees of cryptocurrency companies. These employees are often working in system administration or software development\/IT operations (DevOps) and are using a variety of communication platforms. The messages often appear as a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications. These are referred to by the U.S. government as “TraderTraitor.” The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.<\/span><\/p>\n

The advisory suggests several mitigations to protect potentially targeted organizations in infrastructure, the financial sector, and in the blockchain and cryptocurrency industry. These mitigations include:<\/span><\/p>\n