Written by Tonya Riley

North Korean state-backed hackers are phishing cryptocurrency company employees in order to gain access to systems that allow them to make fraudulent trades, according to an advisory Monday from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

The technique begins with a large number of email messages to that offer a better job to the employees — a common technique for the North Korean hackers, who are commonly known as the Lazarus Group. The emails urge recipients to click on applications posing as cryptocurrency trading and price prediction tools. They’re actually malware that CISA, which issued the alert with the FBI and Treasury Department, calls “TraderTraitor.”

Once the payload is deployed, cybercriminals can execute commands and send additional malware allowing them to gain access to a victim’s computer and move across a company’s network. The goal is to steal private keys or exploit security gaps that allow for fraudulent blockchain transactions, CISA said.

The warning follows updated sanctions last week against the Lazarus Group for links to a recent $650 million hack of the Ronin network connecting the popular Axie Infinity video game with the Ethereum blockchain. The advanced persistent threat (APT) group has been linked by the U.S. government to North Korea’s Reconnaissance General Bureau (RGB).

TraderTraitor screenshot
Screenshot of fake cryptocurrency website used as a ruse by hackers (courtesy CISA)

Researchers at Israeli security firm ClearSky attributed a similar campaign to the Lazarus Group last year, though it doesn’t appear the attacks share any indicators of compromise with the TraderTraitor malware. Some of the indicators of compromise of TraderTraitor include the application names TokenAIS, CryptAIS and Esilet.

The Lazarus Group has a long history of hacking financial institutions in order to fund North Korea’s nuclear program and skirt heavy Western sanctions. Since 2018, North Korean hackers have deployed several forms of malware posing as legitimate cryptocurrency businesses. In addition to phishing, hackers use social networking to lure victims.

The U.S. government has also blamed Lazarus Group for the hack of Sony Pictures in 2014 and the launch of the WannaCry 2.0 ransomware in 2017.