Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators
Contents
WarningAttribution is fickle and not something an independent researcher typically does. I welcome all in the threat intelligence community to check my homework.
Iâve been tracking a highly distributed and sophisticated malware campaign on GitHub and npm targeting cryptocurrency users.
Buckle up, this is a lengthy one. I have laboured the point in establishing a link between novel techniques and malware samples to known DPRK tactics and techniques, culminating in a high confidence attribution.
Summary
- The Contagious Trader campaign is a novel tranche of malware operations I attribute to North Korea/Lazarus with high confidence
- The campaign is highly active and consists of malicious cryptocurrency trading bot projects on GitHub that advertise enticing yields
- These GitHub projects are designed to exfiltrate sensitive files and/or private keys using a variety of techniques, including malicious npm dependencies.
- Several tactics, techniques, and procedures from Contagious Trader are consistent with North Korea and FAMOUS CHOLLIMA, however attribution to …
Iâve been tracking a highly distributed and sophisticated malware campaign on GitHub and npm targeting cryptocurrency users.
Buckle up, this is a lengthy one. I have laboured the point in establishing a link between novel techniques and malware samples to known DPRK tactics and techniques, culminating in a high confidence attribution.
Summary
- The Contagious Trader campaign is a novel tranche of malware operations I attribute to North Korea/Lazarus with high confidence
- The campaign is highly active and consists of malicious cryptocurrency trading bot projects on GitHub that advertise enticing yields
- These GitHub projects are designed to exfiltrate sensitive files and/or private keys using a variety of techniques, including malicious npm dependencies.
- Several tactics, techniques, and procedures from Contagious Trader are consistent with North Korea and FAMOUS CHOLLIMA, however attribution to …
IoC
http://87.120.102.178
http://154.38.188.168:5000/write
http://polymarket-clob.com
http://aster.iejv3bg.mongodb.net/
http://api.fivefingerz.dev
http://changelog.rest
http://eslint-helper.vercel.app
http://45.8.22.144:8080/deep-es6
http://api.mywalletsss.store
http://23.137.105.114:6000/save-data
http://89.187.161.180
http://hsdf22-tracing-ethers.vercel.app
http://api.ipify.org
http://cloudflareinsights.vercel.app
http://emailnator.com
http://39.144.60.174
https://nodejs-be-production.up.railway.app/api/price
http://66.150.196.58
http://polymarket-cli-testing.vercel.app
http://65.109.25.6:6000/api/polymarket-copytrading-bot-api-key/validate
http://192.161.60.132
http://polblxpnl.space
http://chalk-logger.vercel.app
http://cloudflareguard.vercel.app
http://cluster0.1ufrx5i.mongodb.net/
http://logger.clob.health
http://www.blxrbn.com
https://cloudflareinsights.vercel.app
http://api.soladify.fun
http://clob-polymarket.com
http://aster.iejv3bg.mongodb.net
http://45.8.22.144
http://65.109.25.6
http://23.137.105.114
http://api.bpkythuat.com
http://aurevian.cloud
http://cluster0.1ufrx5i.mongodb.net
https://eslint-helper.vercel.app/api/v1
http://sha256-validate-rpc.vercel.app
https://chalk-logger.vercel.app/
http://ext-checkdin.vercel.app
http://154.38.188.168
http://vercel.app
65.109.25.6
39.144.60.174
66.150.196.58
23.137.105.114
89.187.161.180
45.8.22.144
154.38.188.168
192.161.60.132
87.120.102.178
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://154.38.188.168:5000/write
http://polymarket-clob.com
http://aster.iejv3bg.mongodb.net/
http://api.fivefingerz.dev
http://changelog.rest
http://eslint-helper.vercel.app
http://45.8.22.144:8080/deep-es6
http://api.mywalletsss.store
http://23.137.105.114:6000/save-data
http://89.187.161.180
http://hsdf22-tracing-ethers.vercel.app
http://api.ipify.org
http://cloudflareinsights.vercel.app
http://emailnator.com
http://39.144.60.174
https://nodejs-be-production.up.railway.app/api/price
http://66.150.196.58
http://polymarket-cli-testing.vercel.app
http://65.109.25.6:6000/api/polymarket-copytrading-bot-api-key/validate
http://192.161.60.132
http://polblxpnl.space
http://chalk-logger.vercel.app
http://cloudflareguard.vercel.app
http://cluster0.1ufrx5i.mongodb.net/
http://logger.clob.health
http://www.blxrbn.com
https://cloudflareinsights.vercel.app
http://api.soladify.fun
http://clob-polymarket.com
http://aster.iejv3bg.mongodb.net
http://45.8.22.144
http://65.109.25.6
http://23.137.105.114
http://api.bpkythuat.com
http://aurevian.cloud
http://cluster0.1ufrx5i.mongodb.net
https://eslint-helper.vercel.app/api/v1
http://sha256-validate-rpc.vercel.app
https://chalk-logger.vercel.app/
http://ext-checkdin.vercel.app
http://154.38.188.168
http://vercel.app
65.109.25.6
39.144.60.174
66.150.196.58
23.137.105.114
89.187.161.180
45.8.22.144
154.38.188.168
192.161.60.132
87.120.102.178
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]