Researchers link ongoing CryptoCore campaign to North Korea’s Lazarus APT
State-sponsored hackers from North Korea known as Lazarus APT group appear to be behind a campaign that has been targeting cryptocurrency exchanges for the last three years, according to a new report from Israeli cybersecurity firm ClearSky.
Dubbed “CryptoCore” (CryptoMimic, Dangerous Password and Leery Turtle), the campaign targeted crypto exchanges in Israel, Japan, Europe, and the U.S., resulting in the theft of millions of dollars worth of virtual currencies.
ClearSky attributed the attacks with “medium-high” likelihood to the Lazarus Group (aka APT38 or Hidden Cobra) by piecing together artifacts from separate but similar attacks detailed by F-Secure, Japanese CERT JPCERT/CC, and NTT Security over the past few months.
Active since at least 2009, the Lazarus group is mainly focused on cyber-espionage, political attacks (anti-US and anti-South Korea, mostly) and financial, especially cryptocurrency wallets theft. According to the FBI this group is state-sponsored and is a part of North Korea’s RGB intelligence agency.
Last year, ClearSky released a report detailing the CryptoCore campaign that targeted cryptocurrency wallets belonging to exchanges or their employees.
The campaign started in 2018 and relied on spear-phishing to gain an initial foothold. At the time of the report, CryptoCore was responsible for at least five attacks causing estimated losses of more than $200 million.
At the time the researchers theoreticized that the threat group behind this campaign was of Russian or other eastern-European origin.
In a new report ClearSky compared findings provided in public disclosures from other cybersecurity firms and organizations detailing similar attacks and tactics, techniques, and procedures and discovered multiple overlaps suggesting that said reports touched different aspects of the same large-scale campaign.
“Given the large amount of similar IOC’s and a virtually identical VBS script all found in ClearSky’s, F-SECURE’s and JPCERT/CC’s research papers, we can assume it is highly probable they are all referring to the same attack campaign,” ClearSky wrote.
The researchers also said they reaffirmed the attribution by comparing the malware deployed in the CryptoCore campaign to other Lazarus campaigns and found strong similarities.
Similar traits for RAT:
1. RAT is named ntuser.cat.
2. Usage of the packers themida and VMProtect.
3. Injection of malware to process explorer.exe, and potentially to other processes.
4. RAT accesses file “msomain.sdb” and decrypts it. This file contains information of C&C servers.
5. Base64 encoding in RAT’s code.
6. Unique code in RAT and STEALER for RC4 encryption. This code has only ever been found in LAZARUS tools.
7. Uniform malware command-parsing table, indicating the same RAT was used for several targets.
8. Unique wrapper function for decrypting RC4 and Base64.
Similar traits for STEALER:
1. Usage of the packers themida and VMProtect.
2. Injection of malware to process lsass.exe, probably done to dump user passwords and steal data.
3. STEALER accesses file “msomain.sdb” and decrypts it. This file contains information of C&C servers.
4. Unique code in RAT and STEALER for RC4 encryption. This code has only ever been found in LAZARUS tools.
5. Unique wrapper function for decrypting RC4 and Base64 (different than the one in the RAT).
