US Shares Info On North Korean Malware Used To Steal Cryptocurrency
The FBI, CISA, and US Department of Treasury shared detailed info on malicious and fake crypto-trading applications used by North Korean-backed state hackers to steal cryptocurrency from individuals and companies worldwide in a joint advisory published on Wednesday.
These cryptocurrency trading apps were developed and injected with AppleJeus malware by a DPRK state-sponsored threat actor known as Lazarus Group (tracked by the U.S. as HIDDEN COBRA).
“These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone,” the advisory reads.
“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts.”
Also Read: How To Prevent WhatsApp Hack: 7 Best Practices
AppleJeus malware analysis reports
Along with the joint advisory, the US agencies have also released seven malware analysis reports with indicators of compromise (IOCs) and information on each of the North Korean APT’s malicious apps used in this far-reaching and wide-ranging cryptocurrency theft campaign.
The hacking group developed and used several versions of AppleJeus since the malware was initially detected in 2018.
Multiple AppleJeus versions have been spotted in the wild after it was first discovered. Most of them are delivered as apparently benign apps via attacker-controlled sites mimicking legitimate-looking cryptocurrency trading sites and companies.
“Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware,” CISA said.
CISA has released the following seven Malware Analysis Reports (MARs) with full technical details on the AppleJeus malware, mitigation recommendations, and highlighting the cryptocurrency threat posed by the North Korean APT:
- MAR-10322463-1.v1: AppleJeus – Celas Trade Pro
- MAR-10322463-2.v1: AppleJeus – JMT Trading
- MAR-10322463-3.v1: AppleJeus – Union Crypto
- MAR-10322463-4.v1: AppleJeus – Kupay Wallet
- MAR-10322463-5.v1: AppleJeus – CoinGoTrade
- MAR-10322463-6.v1: AppleJeus – Dorusio
- MAR-10322463-7.v1: AppleJeus – Ants2Whale
“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” Matt Hartman, CISA Acting Executive Assistant Director of Cybersecurity, said.
“The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.”
Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup
North Koreans charged and sanctioned for theft of cryptocurrency
The U.S. Justice Department charged three North Koreans yesterday for stealing $1.3 billion in money and cryptocurrency in attacks on banks, the entertainment industry, cryptocurrency companies, and other organizations.
They are believed to be members of Reconnaissance General Bureau (RGB) units, a North Korean military intelligence agency.
“These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38),” the DOJ said.
A confidential United Nations report previously said in 2019 that North Korean operators stole an estimated $2 billion following at least 35 cyberattacks on banks and cryptocurrency exchanges across more than a dozen countries.
The same year, the U.S. Treasury sanctioned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling stolen financial assets to the North Korean government.
More info on North Korean-backed malicious cyber activity tracked by the U.S. Government as HIDDEN COBRA can be found here.
0 Comments