APT38 CryptoSpy

A chain that replicates the TraderTraitor malware distributed by APT38. Host the cryptoSpy payload for a user to download. Once downloaded wait for the user to click the malicious update button, which will download a pneuma agent from the Operator API. The pneuma agent named "cryptoSpy" will callback into Operator and run a queued TTP that retrieves the user's information.

TTP Tuesday: APT38 - CryptoSpy

Replicating TraderTraitor

Theme Overview

We are just off the heels of last week’s chain that replicated WannaCry. This week we are looking at APT38’s crypto attacks. You can replicate many things, but replicating an entire blockchain seemed a little extreme. This week’s chain concentrates more on the way initial access was gained according to CISA.gov.

Custom Malware

Anytime I see a way for me to write something custom, I like to take advantage of the situation. So just because this chain might not have a lot of TTPs, it doesn’t mean there isn’t a lot going on in the background. According to CISA, the government refers to the malware used by APT38 in these attacks as “TraderTraitor”. The malware is an electron-based nodeJS application, like Operator just minus the malware part😜.

This means I needed to write a piece of malware with a graphical user interface (GUI). Due to my less than average Javascript skills, I decided I would take up the challenge using Go and the pretty awesome “Fyne” library. I needed to replicate this part of CISA’s report: “The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools.” Now since most open-source projects wouldn’t appreciate me using their project to pass out malware, I wrote a simple application from scratch.

Nothing fancy, just an application that looks like it is giving you the most recent prices for Bitcoin and Ethereum, then asks if you would like to update. This is done to fit the next part of the CISA report: “Within the code is a function that purports to be an update, with a name such as UpdateCheckSync(), that downloads and executes a malicious payload”. In our case, the malicious payload is a pneuma agent which gets downloaded and launched once you click the “Update” button.

To handle the callback, the malware will check for a file called “config.json” in the same directory as the binary. If a “config.json” file is not found, the malware will fall back to parsing its binary name (similar to the technique used in the Goldilocks chain). This will use that data to download pneuma from a Redirector or your Operator instance and attempt to connect back to that same IP (to keep complexity at a minimum, we are using Operator’s default ports).

Some new techniques regarding Operator

The final 2 TTPs are utilizing some less seen techniques in Operator. After hosting the link to the CryptoSpy binary, we immediately start asking Operator if our expected CryptoSpy (pneuma) agent has called back successfully. When the CryptoSpy agent calls back in, the last TTP will then queue an identification TTP to check the username and groups of the user. These TTPs will be released in a more generic form, enabling them to be easily added to your own chains. This will allow you to specify the name of the expected agent and the ID of the TTP you would like to queue.

Watch a demonstration: APT38 CryptoSpy

Feeling a bit more adventurous?

The malware’s update function is named the same as in the CISA report. Try throwing it in a reverse engineering tool (like Ghidra) to see if you can follow the information flow! Everything in the binary should be pretty straightforward and might give you the opportunity to get your feet wet with some basic reverse engineering.

A few questions you might want to try and answer are:

  • How does the price update?
  • Can you find the two functions that are used to identify the callback IP?
  • What are some of the strings embedded in the binary?

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Host cryptoSpy payload
Wait for cryptoSpy callback
Queue TTP for cryptoSpy agent