Digital Currency Exchanges And Users Are Under Targeted Attack By North Korean - TraderTraitor

TraderTraitor – North Korean Group targeting the Blockchain companies and NFT trading platforms to heist your NFT’s and Digital Crypto Coins. FBI, CISA and US Treasury Department released Joint Cyber Security Advisory to be aware of the targeted attack and take adequate mitigations to deploy in your environment.

Attack Overview:

US government states that “It observed North Korean Cyber actors targeting a variety of organizations involved with the blockchain technology and the cryptocurrency industry, including exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, trading companies, Venture Capital Funds those invest in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable Non-Fungible Tokens (NFT’s) “

This targeted Attack is succeeded through effective “Social Engineering Techniques”. Techniques used here which resembles the attack from “Lazarus Group “AppleJeus”. Dangerous customized Trojan has been designed for this specific attack which is targeting the crypto currency industries and its users which can steal all your cryptocurrencies and NFT’s. Continuous Spear Phishing Campaigns has been targeted the exchanges which will utilize the presence of existing vulnerabilities in their applications and servers.

How Effective the Trojan is ?

The Campaign targets the end users by mimicking as recruitment agency which offers “high-paying jobs”: when victim falls prey, it downloads the malicious files in the background

Security experts briefed that the new Trojan is developed using various open-source tools and its very perilous impact. Attackers created their own websites which depicts they are the resellers of Digital Currencies and NFT’s. When you visit the website, Trojan Malware gets downloaded through “Drive by Downloads” while you are valuing the currencies. Trojan intact downloads more files through C&C and execute arbitrary commands similar tool as “North Korean Remote Access Tool: COPPERHEDGE” post infection

TraderTraitor_SynCheck — TraderTraitor_Sync Check

Security experts advising organizations and individuals to ensure awareness of the security attacks and capture the IOCs to deploy in your environment to Protect & Monitor

Even at the moment lot of security vendors have not tagged this as Malicious in their DAT’s and Threat Intelligence platforms

Please find the below list of IOC’s for your actions

Malicious Domains:

dafom[.]dev
tokenais[.]com
cryptais[.]com
alticgo[.]com
esilet[.]com
greenvideo[.]nl
dafnefonseca[.]com
haciendadeclarevot[.]com
sche-eg[.]org
www[.]vinoymas[.]com
infodigitalnew[.]com
creaideck[.]com
aideck[.]net

SHA Values to Block:

MD5 List:

c2ea5011a91cd59d0396eb4fa8da7d21
930f6f729e5c4d5fb52189338e549e5e
4e5ebbecd22c939f0edf1d16d68e8490
1c7d0ae1c4d2c0b70f75eab856327956
855b2f4c910602f895ee3c94118e979a
9a6307362e3331459d350a201ad66cd9
53d9af8829a9c7f6f177178885901c01
1ca31319721740ecb79f4b9ee74cd9b0
9578c2be6437dcc8517e78a5de1fa975
5d43baf1c9e9e3a939e5defd8f8fbd8d
8397ea747d2ab50da4f876a36d673272

SHA-1 List:

b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8
8e67006585e49f51db96604487138e688df732d3
f1606d4d374d7e2ba756bdd4df9b780748f6dc98
f3263451f8988a9b02268f0fb6893f7c41b906d9
ff17bd5abe9f4939918f27afbe0072c18df6db37
3f2c1e60b5fac4cf1013e3e1fc688be490d71a84
ae9f4e39c576555faadee136c6c3b2d358ad90b9
41f855b54bf3db621b340b7c59722fb493ba39a5
d2a77c31c3e169bec655068e96cf4e7fc52e77b8
d5ff73c043f3bb75dd749636307500b60a436550
48a6d5141e25b6c63ad8da20b954b56afe589031

SHA-256 List:

60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18
5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03
f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b
765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819
e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad
8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925
9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957

Everyone is going crazy about digital currencies and its increasing value across the globe. All the users are victimized for such targeted attacks, we would like you to be vigilant and have a safe play in your currencies !!!