TraderTraitor Malware Detection: CISA, FBI, and U.S. Treasury Department Warn of Cyber-Attacks by Lazarus APT

Lazarus APT has become a frequent guest of our blog posts. According to the recent security reports, North Korean State-Sponsored APT acts quickly, jeopardizing financial and critical infrastructures, blockchain technology-oriented companies, and the cryptocurrency sector. The U.S. government organizations released details about malware-laced cryptocurrency applications under the umbrella term “TraderTraitor”, distributed via a phishing campaign launched worldwide. The APT group stays loyal to the old ways, tempting victims with bogus job offers.

Detect TraderTraitor Malware

Cryptocurrency and blockchain businesses, such as trading, exchange, and investment-oriented companies, NFTs or crypto play-to-earn gaming businesses, as well as individual holders of cryptocurrency wallets and NFTs are all potential victims of the ongoing Lazarus APT activity centered around the distribution of TraderTraitor malware. Utilize the following rules released by our keen Threat Bounty developers Osman Demir and Sittikorn Sangrattanapitak to detect suspicious filenames and the associated user agent within your environment:

Suspicious TraderTraitor (ATP38) Command and Control by Detection of Associated User Agent (dafom) (via proxy)

Possible LAZARUS APT Using TraderTraitor Malware Targeted Blockchain Company (via file event)

The detections are available for the 18 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10. For more detection content, please press the View Detections button below.

Adepts at cybersecurity leverage the Threat Bounty Program to unlock new possibilities for their career in the field. Join Threat Bounty to share our dedication to cooperating in achieving high standards of cybersecurity processes.

View Detections Join Threat Bounty

TraderTraitor Malware Analysis

CISA, FBI, and the U.S. Treasury Department – the government organizations released a joint Cybersecurity Advisory to highlight the threats associated with TraderTraitor malware’s infection. Ill-famed North Korean hackers target firms that rely on blockchain technology, and cryptocurrency investment, exchange, and trade companies, as well as individual cryptocurrency wallets’ owners, to spread malicious cryptocurrency apps loaded with TraderTraitor malware. These Trojanized trading or price prediction applications are developed to operate on both major operating systems – Windows and macOS.

The TraderTraitor malware is spread via spear-phishing scams – Lazarus’ time-tested modus operandi, as a part of APT’s multi-channel Operation Dream Job. TraderTraitor operators hit their targets with a large amount of spear-phishing messages through communication channels, including messaging and email platforms. 

Once a target is tricked into downloading and installing these bogus tools for cryptocurrency operations, the system is infected with a tailor-made remote access trojan (RAT) that gathers system data, runs arbitrary commands, and enables adversaries to download additional payloads for fraudulent trades and theft of sensitive cryptocurrency data.

Smart and timely decisions for your organization’s cybersecurity strategy is a tried-and-true approach to withstanding large-scale APT strikes. Browse through Threat Detection Marketplace for more Sigma and YARA detection content to ensure no critical danger flies under the radar.