In a joint announcement on Monday, the Network and Infrastructure Security Agency, the Federal Bureau of Investigation and the Treasury Department said that a Group of hackers known as the Lazarus Group was using cryptocurrency applications implanted with trojans to target groups in the blockchain industry. The victims are said to include cryptocurrency exchanges, venture capitalists, companies that hold large amounts of cryptocurrency/non-homogeneous tokens (NFT), and individuals involved.
Screenshot of CryptAIS website
It comes just days after US officials linked the Lazarus Group, a hacking Group with suspected links to North Korea, to the recent theft of $625m worth of cryptocurrencies from Ronin.
As an ETH based side chain, it has been used in the monetisation game Axie Infinity. However, attackers are using various communication platforms and social engineering methods to reach employees of cryptocurrency companies.
Attackers send highly targeted scams (phishing) claiming high-paying job offers in an attempt to lure victims to download cryptocurrency apps implanted with trojans, it warns.
UpdateCheckSync bundles with DAFOM
What government agencies call a 'TraderTraitor transaction,' seems to be a continuation of the so-called 'Dream Job' attack.
The latter was first observed in 2020, with hackers targeting workers in the defense, aerospace and chemical industries, where malicious applications spread across the victim's network.
Hackers will not only try to steal private keys but also actively exploit other security vulnerabilities for subsequent activities such as fraudulent blockchain transactions.
Screenshot of UpdateCheckSync in Esilet
Some of the TraderTraitor malicious apps CISA uncovered include Dafom, CryptAIS, AlticGO, Esilet, and CreAI Deck, claiming to offer a variety of portfolios and real-time cryptocurrency predictions.
In addition, the bulletin detailed attack indicators (IOC) and counter strategies, techniques and procedures (TTP) details to urge blockchain and cryptocurrency industry organizations to strengthen their defensive measures.
Finally, last year, the U.S. notified about a cryptocurrency exchange application that was injected with AppleJeus malware, which Lazarus used to loot crypto assets from companies and individuals around the world.