Slow fog security team reveals Lazarus Group's invasion technique

Original title: "Cryptocurrency APT Intelligence: Revealing the Lazarus Group Invasion Method"

Author: 23pds & Thinking (Slow Fog Safety Team)

Compiled: lenaxin, ChainCatcher

background

Since June 2024, the Slow Fog Security Team has successively received invitations from multiple teams to conduct evidence-raising investigations on multiple hacker attacks. After the early accumulation and in-depth analysis and investigation of the past 30 days, we have completed the review of hacker attack methods and intrusion paths. The results show that this is a national APT attack against cryptocurrency exchanges. Through forensic analysis and association tracking, we confirm that the attacker is Lazarus Group.

After obtaining the relevant IOC (invasion indicator) and TTP (tactics, technology and procedures), we synchronize this information to our partners as soon as possible. At the same time, we also found that other partners have also encountered the same attack methods and invasion methods. However, they are more lucky in comparison - the hacker triggered some security alarms during the intrusion process, and with the timely response of the security team, the attack was successfully blocked.

Given that the recent APT attacks on cryptocurrency exchanges continue to occur and the situation is becoming increasingly serious, after communicating with relevant parties, we decided to desensitize the attacked IOC and TTP and publish it publicly so that community partners can defend and self-check it in a timely manner. . At the same time, due to the limitations of confidentiality agreements, we cannot disclose too many specific information about our partners. Next, we will focus on sharing the attacks on IOC and TTP.

Attacker information

Attacker domain name:

• gossipsnare [.] com , 51.38.145.49:443
• showmanroast [.] com , 213.252.232.171:443
• getstockprice [.] info , 131.226.2.120:443
• eclerdomain [.] com , 37.120.247.180:443
• replaydreary [.] com , 88.119.175.208:443
• coreladao [.] com
• cdn . clubinfo [.] io

IP involving events:

• 193.233.171[.]58
• 193.233.85[.]234
• 208.95.112[.]1
• 204.79.197[.]203
• 23.195.153[.]175

The attacker's GitHub username:

• https://github.com/mariaauijj
• https://github.com/patriciauiokv
• https://github.com/lauraengmp

The attacker's social account:

• Telegram: @ tanzimahmed88

Backdoor program name:

• StockInvestSimulator - main . zip
• MonteCarloStockInvestSimulator - main . zip
• Similar to... StockInvestSimulator - main . zip etc.

Real project code:

( https://github.com/cristianleoo/montecarlo - portfolio - management )

The attacker changed the fake project code:

After comparison, you will find that there is an additional data_fetcher . py file in the data directory, which contains a strange Loader:

 ![](https://admin2049.chaincatcher.info/upload/image/20250224/1740373839972-802342.webp)  
 

Backdoor technology used by attackers

The attacker uses pyyaml ​​to perform RCE (remote code execution) to implement malicious code distribution, thereby controlling the target computer and server. This method bypasses the detection and killing of most antivirus software. After synchronizing intelligence with the partners, we obtained multiple similar malicious samples.

Key technical analysis reference: https://github.com/yaml/py yaml/wiki/PyYAML

• yaml. load ( input )- Deprecation # how - to - disable - the - warning

Through in-depth analysis of the samples, the Slow Fog Security Team successfully reproduced the attacker's attack method of using pyyaml ​​for RCE (remote code execution).

Key Attack Analysis

Goals and motivations

Target: The main goal of the attacker is to gain control over the wallet by hacking into the infrastructure of the cryptocurrency exchange, and then illegally transferring a large number of crypto assets in the wallet.

Motivation: Trying to steal high-value cryptocurrency assets.

Technical means

1. Initial invasion

• The attacker uses social engineering to trick employees into executing seemingly normal code on a local device or Docker.
• In this investigation, we found that the malware used by the attackers included StockInvestSimulator - main .zip and MonteCarlo StockInvestSimulator - main .zip. These files are masquerading as legitimate Python projects, but they are actually remote control Trojans. The attacker uses pyyaml ​​to perform RCE as a means of issuing and executing malicious code, and bypasses the detection of most antivirus software.

2. Permission enhancement

• The attacker successfully obtained local control permissions for the employee's device through malware and tricked the employee into setting privileged in docker - compose . yaml to true.
• The attacker further increased permissions using the condition that privileged was set to true, thus giving full control of the target device.

3. Internal reconnaissance and lateral movement

• The attacker used the hacked employee computer to scan the intranet.
• Subsequently, the attacker took advantage of the intranet service and application vulnerabilities to further invade the internal enterprise servers.
• The attacker stole the SSH keys of the key servers and used the whitelist trust relationship between the servers to achieve horizontal movement to the wallet server.

4. Crypto Asset Transfer

• After the attacker successfully gained control of the wallet, he illegally transferred a large amount of crypto assets to the wallet address he controlled.

5. Hide traces

• Attackers use legitimate enterprise tools, application services and infrastructure as springboards to mask the true source of their illegal activities and delete or corrupt log and sample data.

process

Attackers use social engineering methods to trick targets, common ways include:

1. Disguised as a project party, looking for key target developers, requesting help debugging code, and expressing willingness to pay in advance to gain trust.

After tracking the relevant IP and UA information, we found that this transaction was paid by third-party payment and did not have much value.

2. The attacker disguises himself as an automated trading or investment staff, provides transaction analysis or quantitative code, and tricks key targets into executing malicious programs. Once a malicious program runs on the device, it creates a persistent backdoor and provides remote access to the attacker.

• The attacker uses the invaded device to scan the intranet, identify key servers, and further penetrates the enterprise network using vulnerabilities in the enterprise application. All attacks are performed through VPN traffic of the intruded device, thereby bypassing detection of most security devices.
• Once the relevant application server permissions are successfully obtained, the attacker will steal the SSH keys of the key servers, use the permissions of these servers to move horizontally, and ultimately control the wallet server and transfer the encrypted assets to an external address. Throughout the process, the attacker cleverly utilizes the internal tools and infrastructure of the enterprise to make the attack difficult to detect quickly.
• Attackers trick employees into deleting the debugging program and provide debugging compensation to cover up the attack traces.

In addition, due to some fraudulent employees' concerns about accountability, they may actively delete relevant information, resulting in the failure to report relevant situations in a timely manner after the attack occurs, making it more difficult to investigate and collect evidence.

Coping suggestions

APT (Advanced Persistent Threat) attacks are extremely difficult to defend due to their strong concealment, clear goals and long-term lurking characteristics. Traditional security measures often find it difficult to detect their complex intrusion behavior, so it is necessary to combine multi-level network security solutions, such as real-time monitoring, abnormal traffic analysis, endpoint protection and centralized log management, to detect and perceive attacker's intrusion traces as early as possible, thereby Effectively respond to threats. The Slow Fog Security Team put forward 8 major defense directions and suggestions, hoping to provide community partners with reference for defense deployment:

1. Network proxy security configuration

Objective: Configure security policies on network agents to achieve security decision-making and service management based on zero trust model.

Solutions: Fortinet (https://www.fortinet.com/), Akamai (https://www.akamai.com/glossary/where-to-start-with-zero-trust), Cloudflare (https:// www.cloudflare.com/zero-trust/products/access/) etc.

2. DNS traffic security protection

Goal: Implement security controls at the DNS layer, detect and block requests for parsing known malicious domain names, and prevent DNS spoofing or data breaches.

Solution: Cisco Umbrella (https://umbrella.cisco.com/) etc.

3. Network traffic/host monitoring and threat detection

Objective: Analyze the data flow requested by the network, monitor abnormal behavior in real time, identify potential attacks (such as IDS/IPS), and install HIDS on the server to detect attackers' vulnerabilities and other attacks as soon as possible.

Solutions: SolarWinds Network Performance Monitor (https://www.solarwinds.com/), Palo Alto (https://www.paloaltonetworks.com/), Fortinet (https://www.fortinet.com/), Alibaba Cloud Security Center (https://www.alibabacloud.com/zh/product/security_center), GlassWire (https://www.glasswire.com/), etc.

4. Network segmentation and isolation

Objective: divide the network into smaller, isolated areas, limit the spread of threats, and enhance security control capabilities.

Solutions: Cisco Identity Services Engine (https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html), cloud platform security group policy, etc.

5. System reinforcement measures

Objective: Implement security enhancement policies (such as configuration management, vulnerability scanning, and patch updates) to reduce system vulnerability and improve defense capabilities.

Solutions: Tenable.com (https://www.tenable.com/), public.cyber.mil (https://public.cyber.mil), etc.

6. Endpoint Visibility and Threat Detection

Objective: Provide real-time monitoring of terminal device activities, identify potential threats, support fast response (such as EDR), set application whitelisting mechanism, discover abnormal programs and promptly alert.

Solution: CrowdStrike Falcon (https://www.crowdstrike.com/), Microsoft Defender for Endpoint (https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint), Jamf ( https://www.jamf.com/) or WDAC (https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac), etc.

7. Centralized log management and analysis

Objective: Integrate log data from different systems into a unified platform to facilitate the tracking, analysis and response of security incidents.

Solutions: Splunk Enterprise Security (https://www.splunk.com/), Graylog (https://graylog.org/), ELK (Elasticsearch, Logstash, Kibana), etc.

8. Cultivate team safety awareness

Objective: Improve organizational members' safety awareness, be able to identify most social engineering attacks, and actively report abnormalities after an accident, so as to conduct more timely investigations.

Solution: Blockchain Dark Forest Self-Rescue Manual (https://darkhandbook.io/), Web3 Fishing Method Analysis (https://github.com/slowmist/Knowledge-Base/blob/master/security-research/Web3% 20%E9%92%93%E9%B1%BC%E6%89%8B%E6%B3%95%E8%A7%A3%E6%9E%90.pdf) etc.

In addition, we recommend that red and blue confrontation drills be carried out periodically to identify weaknesses in security process management and security defense deployment.

Written at the end

Attacks often occur on weekends and traditional holidays, bringing considerable challenges to incident response and resource coordination. During this process, the 23pds (Shan Ge), Thinking, Reborn and other related members of the Slow Fog Safety Team were always alert, responded in shifts during the holidays, and continued to promote investigation and analysis. In the end, we successfully restored the attacker's techniques and invasion paths.

Looking back at this survey, we not only reveal the attack methods of Lazarus Group, but also analyze a series of tactics such as social engineering, vulnerability utilization, authority enhancement, intranet penetration and capital transfer. At the same time, we have summarized defense suggestions for APT attacks based on actual cases, hoping to provide reference for the industry, helping more institutions improve security protection capabilities and reduce the impact of potential threats. Cybersecurity confrontation is a protracted war, and we will continue to pay attention to similar attacks to help the community resist threats together.