Tuesday, December 17, 2024
HomeCyber AttackLazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Lazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Published on

SIEM as a Service

The FBI, CISA, and the U.S. Department of Treasury have issued a joint statement about the cryptocurrency theft and the tactics used by the North Korean State-Sponsored APT hacker group since 2020.

This group is commonly known as the Lazarus group, APT 38, Stardust Chollima, and BlueNoroff.

Several organizations relating to cryptocurrency, blockchain, DeFi, Play-to-earn cryptocurrency video games, trading companies, venture capital funds, and valuable non-fungible token holders (NFTs) were targeted.

- Advertisement - SIEM as a Service

The attack vector was based on social engineering through various communication platforms and making the victims install trojans in their systems in the name of cryptocurrency applications.

Once the application is installed, the threat actors gain access to the victim’s environment and steal private keys or exploit security gaps. Following these, they also initiate fraudulent blockchain transactions. 

AppleJeus was one of the malware used by these North Korean hackers to steal cryptocurrency. Other malware used for stealing money from banks were

  • HIDDEN COBRA – FASTCash Campaign
  • FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

Technical Details

The U.S Government has noticed a group of North Korean State-Sponsored threat actors using the same methods and tactics that were used by the previous Lazarus group that was using AppleJeus malware.

The previous Lazarus group targeted individuals and companies related to cryptocurrency exchanges and other financial services. They distributed the malware by dissemination of cryptocurrency trading applications that had embedded trojans resulting in the theft of cryptocurrency. The report by CISA stated that,

As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.

Tactics, Techniques, and Procedures (TTP)

The attack was started by targeting employees working in cryptocurrency companies in a position like a system administrator or other development operations position.

A large number of spear-phishing messages were sent to the employees stating about a recruitment effort and to guide them to download cryptocurrency applications that contain the malware. This was referred to as “TradeTraitor” by the U.S. government.

The JS code that has the core functionalities is bundled as a Webpack. The code has a function that states to be an “Update” with the name “UpdateCheckSync()”. However, this function is responsible for downloading and executing the malicious payload.

This UpdateCheckSync() function initiates an HTTP POST request to a PHP script that is hosted on the TradeTraitor project’s domain. The request hits the endpoint at either /update/ or /oath/checkupdate.php .

In the recent versions, the response from the server is parsed as a JSON document with a key-value pair. This key is used as an AES 256 encryption key which is decrypted in Counter (CTR) mode or Cipher Block Chaining (CBC) mode.

The decrypted value is then written to a file and saved in the temporary directory. This is done with the help of os.tmpdir() method of Node.js. The file is then executed using the child_process.exec() which spawns a shell. The terminal is posted with a text “Update finished” to notify the user.

The payloads that were observed for macOS and Windows variants of Manuscrypt, a Remote Access Trojan (RAT). This trojan collects information and executes arbitrary commands.

It can also download additional payloads. After compromising the systems, activities by the threat actors are based upon the victim’s environment and are completed within a week’s time.

The CISA has published several Indicators of Compromise and Mitigation steps to prevent these hackers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files...

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a...

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files...

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a...