Background
CISA, FBI, and the US Treasury Department recently released a joint advisory on TraderTraitor, a Lazarus group campaign targeting blockchain companies.
What is TraderTraitor?
According to the advisory, North Korean threat actor groups have been targeting cryptocurrency since at least 2020, with most of the activity perpetrated by Lazarus Group. Victims have included cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable NFTs.
Lazarus Group used a trojanized cryptocurrency application, dubbed AppleJeus, in a previous campaign targeting cryptocurrency. In the most recent campaign, TTPs included spearphishing, social engineering the victims, and coaxing them to download trojanized cryptocurrency applications belonging to the TraderTraitor family of malware. TraderTraitor is written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. In the advisory, the agencies identified multiple trojanized applications used in the campaign. These include DAFOM, TokenAIS, CryptAIS, AlticGo, Esilet, and CreAI Deck. Observed payloads included new Mac and Windows versions of the Manuscrypt RAT. Manuscrypt collects system information and can execute arbitrary commands and download additional payloads.
Most of the victims who were targeted held system administrator or DevOps roles. Following the installation of the malicious program, the threat actors obtained access to the victim’s computer, spread malware across the victim’s network environment, exploited multiple security gaps, and stole information, including credentials. Ultimately the threat actors sought to initiate fraudulent blockchain transactions.
Who is Lazarus Group?
Lazarus group, also known as Dark Seoul, Labyrinth Chollima, and APT 38, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Other known Lazarus TTPs include DDoS attacks, wiper malware, botnets, keyloggers, and RATs.
The group’s first known activity was Operation Troy, an espionage campaign targeting the South Korean government as early as 2009. Lazarus group’s espionage activity is in line with intelligence collection requirements for the North Korean government, targeting South Korea, the US, and other nations. Lazarus is thought to be responsible for the 2014 Sony Pictures attack and the 2017 WannaCry ransomware campaign. Lazarus has also targeted banks in Ecuador, Vietnam, Bangladesh, Mexico, Poland, and Taiwan.
IOCs
PolySwarm has multiple samples associated with the TraderTraitor campaign.
867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957
9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
You can use the following CLI command to search for all TraderTraitor samples in our portal: $ polyswarm link list -f TraderTraitor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
Topics:
Threat Bulletin,
North Korea,
Lazarus Group,
TraderTraitor,
Cryptocurrency