The prolific Lazarus APT group is back in action to expand its attack scope against organizations in the blockchain technology and cryptocurrency industry. In addition to this, the group has also revived the well-known ‘Operation Dream Job’ campaign that lures targeted employees with fake job offers.
Update on Lazarus APT Activity
In an alert, the FBI, CISA, and the Treasury Department revealed that the North Korea-based Lazarus hacking group is sending a large number of spear-phishing messages to employees working in blockchain technology and cryptocurrency firms in an attempt to steal cryptocurrency.
These emails often mimic a recruitment effort and offer high-paying jobs to entice the recipients into downloading malware-laced cryptocurrency applications which are referred to as TraderTraitor.
The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools.
Apart from stealing cryptocurrency, the federal agencies also noted that the attackers were leveraging the malicious applications to install macOS and Windows variants of Manuscrypt malware that is capable of stealing system information and performing other malicious activities.
The campaign targets cryptocurrency exchanges, Defi, pay-to-earn cryptocurrency games, and crypto-coin trading companies. Also in the crosshairs are venture capital funds investing in cryptocurrencies and people holding large amounts of NFTs.
Massive crypto heist associated with Lazarus
Last week, the FBI made a major revelation about the massive heist that occurred at Axie Infinity last month.
The Lazarus group was held responsible for executing the heist by exploiting the Ronin firm and stealing around $600 million in Ethereum and USD coins.
The Infamous ‘Operation Dream Job’ returns
Besides targeting cryptocurrency firms, the North-Korean cyberespionage group, Lazarus, was also observed reviving the ‘Operation Dream Job’ campaign under a new name, Pompilus.
The campaign lured the employees working in the chemical sector into installing malware that could further be used for espionage.
The attack chain of the campaign is similar to the previous Dream Job campaigns observed in August 2020 and July 2021.
The past campaigns had targeted individuals in the defense, government, and engineering sectors.
Summing it up
The CISA advisory indicates that the crypto-focused activity of Lazarus is unlikely to abate anytime soon. Moreover, the group is continuously expanding its tactics and techniques to exploit computer networks of interest to acquire cryptocurrency-intellectual property and gain financial assets. Therefore, organizations must implement mitigation measures to reduce the risk of such threats.