TokenAIS, CryptAIS, and Esilet trojanized applications with TraderTraitor malware are being used to hack cryptocurrency developers and users

In a joint report, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department are warning blockchain/cryptocurrency users and organizations about an infamous phishing campaign attributed to the Advanced Persistent Threat (APT) operation tracked as Lazarus Group.

Apparently, the hacking targets seek to compromise cryptocurrency exchanges, investors, trading companies, and blockchain organizations. This campaign could have been sponsored by the North Korean government, seeking broad access to these systems for the theft of confidential information and installation of malware.

This attack starts with hackers sending a large number of phishing emails to employees of the affected organization, almost always hiding their intentions with false job opportunities. In these messages, victims are asked to download attached applications, which contain the malware or malicious payload.

CISA reports that these messages are loaded with the TraderTraitor malware; upon opening the payload, hackers begin executing commands and sending additional malware to gain access to the target system and eventually find an entry point to the organization’s network.

Hackers also turn to trojanized apps like TokenAIS, CryptAIS, and Esilet. These applications are Electron-based cross-platform utilities developed with the Node.js and JavaScript runtime environment.

Lazarus has used several tactics for the deployment of this campaign, including spear phishing and social engineering. The attack also installs various applications for the theft of data and critical system information and other hacking activities. Moreover, the Agency said that the Lazarus group uses cryptocurrency applications with the AppleJeus backdoor to maintain a foothold on compromised devices.

Lazarus remains considered one of the most active and dangerous APT groups, permanently associated with high-profile hacking campaigns that lead to the theft of massive sums of cryptocurrencies and bank funds. It is well known that this group is backed by the North Korean government’s General Reconnaissance Office (RGB), making it a constant threat to state actors opposed to the North Korean government.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.