The nation's top financial and cyber law enforcement watchdogs have published an extensive analysis of the malware used in recent efforts to steal cryptocurrency. These efforts infect individuals and companies that use cryptocurrency trading applications, and lay behind the indictment of three North Korean actors that was unveiled in February.
The analysis includes both malware details (script names, commands, IP addresses) and indicators of compromise used in the attacks to date. It also includes remediation recommendations for target companies. Although most of those recommendations are aimed at cryptocurrency exchanges and financial services companies, there are pro-active mitigation efforts recommended for all organizations, including awareness training, account privileging, and other common measures.
This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.
These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone....