North Korean state-backed hackers are phishing cryptocurrency company employees to gain access to systems that allow them to make fraudulent trades, according to an advisory from the DHS & CISA dubbed as TraderTraitor
The technique begins with many email messages that offer a better job to the employees, a common technique for the North Korean Lazarus Group. The emails urge recipients to click on applications posing as cryptocurrency trading and price prediction tools.
Once the payload is deployed, crooks can execute commands and send additional malware allowing them to gain access to a victim’s computer and move across a company’s network. The goal is to steal private keys or exploit security gaps that allow for fraudulent blockchain transactions.
The warning follows updated sanctions last week against the Lazarus Group for links to a recent $650 million hack of the Ronin network connecting the popular Axie Infinity video game with the Ethereum blockchain. The advanced persistent threat (APT) group has been linked by the U.S. government to North Korea’s Reconnaissance General Bureau (RGB).
Researchers attributed a similar campaign to the Lazarus Group last year, though it doesn’t appear the attacks share any indicators of compromise with the TraderTraitor malware. Some of the indicators of compromise of TraderTraitor include the application names TokenAIS, CryptAIS, and Esilet.
The Lazarus Group has a history of hacking financial institutions in order to fund North Korea’s nuclear program and skirt heavy Western sanctions. Since 2018, North Korean hackers have deployed several forms of malware posing as legitimate cryptocurrency businesses. In addition to phishing, hackers use social networking to lure victims.