People working in cryptocurrency firms are being targeted by Lazarus, a well-known threat actor with close ties to North Korea’s government, law enforcement groups have warned.
CISA, the FBI and the US Treasury Department have banded together to issue a warning to companies in the cryptocurrency industry, urging them to be on their guard.
According to the warning, Lazarus seeks to infect crypto firms’ endpoints with Trojans, in an attempt to drain them of their funds.
Several fake applications distributed
As usual, attacks begin with threat actors assuming the identity of someone close to or of interest to the victim.
“The intrusions begin with a large number of spear-phishing messages sent to employees of cryptocurrency companies – often working in system administration or software development/IT operations (DevOps) – on a variety of communication platforms “, reads the warning.
“The messages often mimic a recruiting effort and offer high-paying jobs to trick recipients into downloading cryptocurrency apps containing malware, which the US government calls TraderTraitor.”
“Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access Trojan (RAT), which collects system information and has the ability to execute arbitrary commands and download additional payloads,” the federal agencies added.
Security agencies refer to several apps as TraderTraitor: DAFOM (cryptocurrency wallet app for macOS), TokenAIS (wallet maker for AI-based crypto trading for macOS), CryptAIS (wallet maker for AI-based crypto). trading for macOS), AlticGO (crypto price tracker and predictor for Windows), Esilet (crypto price tracker and predictor for macOS) and CreAI Deck (AI and deep learning platform for Windows and macOS).
Crypto companies experience a constant barrage of cyberattacks. It was only recently that a flaw in the operations of Beanstalk Farms, a stablecoin protocol, allowed an unknown malicious actor to siphon $182 million from the network.
Prior to this, hundreds of millions of dollars in cryptocurrency were stolen after the Ronin Network, which provides the blockchain “bridge” that powers the NFT game Axie Infinity, was compromised.