FBI warning: These hackers are targeting developers and DevOps teams to break into crypto firms

The US government reveals new tools and tactics used by North Korean hackers in recent cryptocurrency hacks.
Written by Liam Tung, Contributing Writer

The US government has detailed how North Korean state-sponsored attackers have been hacking cryptocurrency firms using phishing, malware and exploits to steal funds and initiate fraudulent blockchain transactions. 

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) have issued a joint cybersecurity advisory to warn all businesses in cryptocurrency to watch out for attacks from North Korean state-sponsored hackers. 

Last week, the US Treasury Department linked the massive $600 million heist from the Ronin blockchain network to Lazarus hackers. 

SEE: Windows 11 security: How to protect your home and small business PCs

The new joint alert mostly concerns the work of Lazarus Group, also known as APT38, and follows multiple alerts since 2020 about the group's crypto-stealing malware. 

"As of April 2022, North Korea's Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency," the alert from the FBI's Internet Crime Center (IC3) states

"These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime."

The alert flags that Lazarus attacks often begin with spear-phising messages targeting employees of cryptocurrency firms, often those working in system administration or software development/IT operations or DevOps roles. 

"The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications," the agencies said, with the aim of tricking the target into downloading 'TraderTraitor', the FBI's name for a malware-laced version of several cryptocurrency applications.  

SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up

TraderTraitor is a set of malicious applications written in JavaScript, with a Node.js runtime also using Electron, to create apps that work across Windows and macOS. The attackers use a variety of open-source crypto-trading and price-prediction projects to package their malware. It runs a bogus "update" process that downloads and executes a malicious payload. 

"Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads," IC3 notes. 

"Post-compromise activity is tailored specifically to the victim's environment and at times has been completed within a week of the initial intrusion."

The IC3 alert lists several new cryptocurrency-related Electron applications containing binaries signed with now-revoked Apple Developer Team certificates. Hackers from North Korea stole around $400 million worth of cryptocurrency in 2021 through at least seven attacks, according to blockchain analysis firm, Cainalysis

Editorial standards