The FBI, CISA, and the U.S. Department of Treasury have issued a joint statement about the cryptocurrency theft and the tactics used by the North Korean State-Sponsored APT hacker group since 2020.
This group is commonly known as the Lazarus group, APT 38, Stardust Chollima, and BlueNoroff.
Several organizations relating to cryptocurrency, blockchain, DeFi, Play-to-earn cryptocurrency video games, trading companies, venture capital funds, and valuable non-fungible token holders (NFTs) were targeted.
The attack vector was based on social engineering through various communication platforms and making the victims install trojans in their systems in the name of cryptocurrency applications.
Once the application is installed, the threat actors gain access to the victim’s environment and steal private keys or exploit security gaps. Following these, they also initiate fraudulent blockchain transactions.
AppleJeus was one of the malware used by these North Korean hackers to steal cryptocurrency. Other malware used for stealing money from banks were
- HIDDEN COBRA – FASTCash Campaign
- FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
The U.S Government has noticed a group of North Korean State-Sponsored threat actors using the same methods and tactics that were used by the previous Lazarus group that was using AppleJeus malware.
The previous Lazarus group targeted individuals and companies related to cryptocurrency exchanges and other financial services. They distributed the malware by dissemination of cryptocurrency trading applications that had embedded trojans resulting in the theft of cryptocurrency. The report by CISA stated that,
“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”
Tactics, Techniques, and Procedures (TTP)
The attack was started by targeting employees working in cryptocurrency companies in a position like a system administrator or other development operations position.
A large number of spear-phishing messages were sent to the employees stating about a recruitment effort and to guide them to download cryptocurrency applications that contain the malware. This was referred to as “TradeTraitor” by the U.S. government.
The JS code that has the core functionalities is bundled as a Webpack. The code has a function that states to be an “Update” with the name “UpdateCheckSync()”. However, this function is responsible for downloading and executing the malicious payload.
This UpdateCheckSync() function initiates an HTTP POST request to a PHP script that is hosted on the TradeTraitor project’s domain. The request hits the endpoint at either /update/ or /oath/checkupdate.php .
In the recent versions, the response from the server is parsed as a JSON document with a key-value pair. This key is used as an AES 256 encryption key which is decrypted in Counter (CTR) mode or Cipher Block Chaining (CBC) mode.
The decrypted value is then written to a file and saved in the temporary directory. This is done with the help of os.tmpdir() method of Node.js. The file is then executed using the child_process.exec() which spawns a shell. The terminal is posted with a text “Update finished” to notify the user.
The payloads that were observed for macOS and Windows variants of Manuscrypt, a Remote Access Trojan (RAT). This trojan collects information and executes arbitrary commands.
It can also download additional payloads. After compromising the systems, activities by the threat actors are based upon the victim’s environment and are completed within a week’s time.
The CISA has published several Indicators of Compromise and Mitigation steps to prevent these hackers.