North Korean Hackers Target Blockchain and Gaming Companies

Fortify Security Team
Jun 27, 2022

Hackers tied to the North Korean government are using a mixture of spearphishing and malware to target and rob companies in the cryptocurrency and gaming industries, the U.S. government
warned this week.

The alert, issued by the FBI, Department of the Treasury and Cybersecurity and Infrastructure Security Agency, details activity from 2020 ongoing through April 2022 from hackers sponsored by
North Korea and behaving similar to Lazarus Group — a catch-all for a mix of government and criminal hacking groups working under the direction or influence of Pyongyang.

“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and
malware to steal cryptocurrency,” the agencies warned. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

The campaign targets rank and file employees at cryptocurrency firms — namely system administrators and IT or software developers — through social media and other communications.
Threat actors have posed as job recruiters offering high paying gigs, slick-looking websites and links a malware-infected cryptocurrency application. The malware itself is written in JavaScript, built mostly from open source software and can attack both Mac and Windows operating systems.

Last year the Cybersecurity and Infrastructure Security Agency, FBI and Department of Treasury also released a joint advisory and analysis of multiple variants of malware, called AppleJeus, that
the North Koreans used as a trojanized version of software designed to impersonate a legitimate cryptocurrency trading company and target Windows and Mac operating systems. The advisory contains technical analysis as well as indicators of compromise that security teams can use to detect the malware.

The new alert “describes a spear-phishing campaign that leverages the hot job market to entice users into downloading malicious cryptocurrency software,” said Tim Erlin, vice president of strategy at TripWire, “We’ve certainly seen attacks focused on cryptocurrency before, and malicious software isn’t new. It’s important that readers understand that this alert isn’t about a new technology, but increased attack activity.”

The warning comes a week after FBI officials attributed a $620 million hack and theft of NFT-based video game company Axie Infinity’s Ronin network to Lazarus Group and North Korea. Both
U.S. government officials and private sector analysts say the North Korean government relies on hacking and cryptocurrency theft to evade international sanctions and fund priorities like their nuclear weapons program. The country has been behind some of the largest cryptocurrency hacks in recorded history, with no signs of slowing down.

It also follows a spate of lucrative cryptocurrency hacks in recent months as well as high-profile vulnerabilities discovered for blockchain-based companies. A Chainanlysis report earlier this year found that the amount of cryptocurrency transferred from illicit wallets to decentralized finance services spiked 1,964% between 2020 and 2021.

“There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure. Any small vulnerability can possibly allow cybercriminals to hijack crypto wallets behind the scenes,” said Check Point Products Vulnerabilities Research Head Oded Vanunu last week. “We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme.”

Recent Posts

Q3 2022 Oracle Quarterly Critical Patches

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution. THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild. SYSTEMS AFFECTED: Autonomous Health Framework Big...

Beware of Fraudulant Cryptocurrency Applications

Summary The FBI is warning financial institutions and investors about cyber criminals creating fraudulent cryptocurrency investment applications (apps) to defraud cryptocurrency investors. The FBI has observed cyber criminals contacting US investors, fraudulently...

Adobe Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Adobe RoboHelp Server is a help authoring tool Adobe Photoshop is a graphics editor Adobe Acrobat and Reader are used to view, create,...

July 12, 2022 – Microsoft Patch Tuesday

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs;...