April 19, 2022

North Korean APT Groups Target Blockchain and Cryptocurrency Companies

Industry: Blockchain, Cryptocurrency | Level: Tactical | Source: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) in a joint advisory with the Federal Bureau of Investigation (FBI) and the U.S. Treasury Department (Treasury) warns that state-sponsored advanced persistent threat (APT) groups from North Korea are targeting various organizations in blockchain technology and cryptocurrency. The APT groups include Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. The threat group’s campaigns have involved using social engineering tactics to lure victims on Windows or macOS platforms to download trojanized cryptocurrency applications. The phishing themes used by the APT groups have involved lucrative job opportunities to entice victims. Once the malicious application is executed the cyber actors are able to infiltrate the victim’s host to propagate within their environment to steal credentials, exploit additional security gaps, and/or initiate fraudulent transactions. The United States government has referred to the campaigns with malicious cryptocurrency applications as “TradeTraitor,” as “The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”

  • Anvilogic Use Cases:
    • AVL_UC1053 – Web Application File Upload
    • AVL_UC1029 – Wscript/Cscript Execution
    • AVL_UC1040 – Executable File Written to Disk
    • AVL_UC1043 – Command and Control Detection