CISA, FBI, and the US Treasury Department recently released a joint advisory on TraderTraitor, a Lazarus group campaign targeting blockchain companies.
What is TraderTraitor?
According to the advisory, North Korean threat actor groups have been targeting cryptocurrency since at least 2020, with most of the activity perpetrated by Lazarus Group. Victims have included cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable NFTs.
Most of the victims who were targeted held system administrator or DevOps roles. Following the installation of the malicious program, the threat actors obtained access to the victim’s computer, spread malware across the victim’s network environment, exploited multiple security gaps, and stole information, including credentials. Ultimately the threat actors sought to initiate fraudulent blockchain transactions.
Who is Lazarus Group?
Lazarus group, also known as Dark Seoul, Labyrinth Chollima, and APT 38, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Other known Lazarus TTPs include DDoS attacks, wiper malware, botnets, keyloggers, and RATs.
The group’s first known activity was Operation Troy, an espionage campaign targeting the South Korean government as early as 2009. Lazarus group’s espionage activity is in line with intelligence collection requirements for the North Korean government, targeting South Korea, the US, and other nations. Lazarus is thought to be responsible for the 2014 Sony Pictures attack and the 2017 WannaCry ransomware campaign. Lazarus has also targeted banks in Ecuador, Vietnam, Bangladesh, Mexico, Poland, and Taiwan.
PolySwarm has multiple samples associated with the TraderTraitor campaign.
You can use the following CLI command to search for all TraderTraitor samples in our portal: $ polyswarm link list -f TraderTraitor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports