Author: SharkTeam
National APT (Advanced Persistent Threat) organizations are top-notch hacker groups supported by national backgrounds, specializing in long-term persistent network attacks against specific targets. The Lazarus Group, a North Korean APT organization, is a very active APT group, mainly targeting the theft of funds, posing the biggest threat to global financial institutions. In recent years, they have been responsible for multiple attacks and fund theft cases in the cryptocurrency field.
I. Lazarus Group
According to Wikipedia, the Lazarus Group was established in 2007 and is affiliated with the Reconnaissance General Bureau, Third Bureau of the General Staff Department of the Korean People's Army, specializing in cyber warfare. The organization is divided into two departments: BlueNorOff (also known as APT38) with approximately 1700 members, responsible for illegal fund transfers through forged SWIFT orders, focusing on exploiting network vulnerabilities for economic gain or controlling systems to carry out financial cybercrimes targeting financial institutions and cryptocurrency exchanges. The other department, AndAriel, with approximately 1600 members, targets South Korea.
The earliest known attack by the Lazarus Group was in 2009, using DDoS technology to attack the South Korean government in the "Operation Troy." One of their most famous attacks was in 2014 against Sony Pictures, due to the release of a comedy film about the assassination of North Korean leader Kim Jong-un.
A notable attack by the BlueNorOff organization was the 2016 Bangladesh Bank heist, where they attempted to illegally transfer nearly $1 billion from the New York Federal Reserve Bank account belonging to the Bangladesh Central Bank using the SWIFT network. After completing several transactions (tracing $20 million to Sri Lanka and $81 million to the Philippines), the remaining transactions were stopped by the New York Federal Reserve Bank due to suspicion caused by a spelling error.
Since 2017, the organization has begun targeting the cryptocurrency industry, profiting at least $1 billion.
II. Technical Analysis
2.1 Analysis of Common Attack Techniques
In the early stages, Lazarus primarily used botnets for DDoS attacks; currently, their main attack methods have shifted to spear phishing, watering hole attacks, supply chain attacks, and targeted social engineering attacks.
Tactical characteristics:
- Use of spear phishing and watering hole attacks
- The attack process involves system disruption or ransomware to interfere with event analysis
- Utilization of SMB protocol vulnerabilities or related worm tools for lateral movement and payload delivery
- Attacks on bank SWIFT systems to steal funds
Technical characteristics:
- Use of multiple encryption algorithms, including RC4, AES, Spritz, standard algorithms, as well as XOR and custom character transformation algorithms
- Mainly use of falsely constructed TLS protocols to bypass IDS by writing white domain names in the SNI record. Also, use of IRC and HTTP protocols
- System disruption by damaging MBR, partition tables, or writing garbage data to sectors
- Use of self-deleting scripts
Attack methods:
Spear Phishing: A computer virus term, it is one of the hacker attack methods. It involves attaching a Trojan program as an email attachment with a highly enticing name, sending it to the target computer, and enticing the victim to open the attachment, thereby infecting the system. Lazarus typically uses malicious documents attached to emails as bait, with common file formats being DOCX, and later adding BMP formats. The invasion methods mainly utilize malicious macros, common vulnerabilities in Office, 0-day vulnerabilities, and RAT implantation.
Watering Hole Attack: As the name suggests, it sets a "watering hole (trap)" on the path that the victim must pass through. The most common method is for hackers to analyze the target's internet activity patterns, find weaknesses in websites frequently visited by the target, compromise the website, and implant attack code. Once the target visits the compromised website, they are compromised. Lazarus typically uses watering hole attacks against small-scale banking and financial institutions in poor or underdeveloped areas, allowing them to steal funds on a large scale in a short period. In 2017, Lazarus launched a watering hole attack on the Polish financial regulatory authority, implanting malicious JavaScript vulnerabilities on the official website, leading to the implantation of malicious programs in multiple organizations in 31 countries, with most targets located in Poland, Chile, the United States, Mexico, and Brazil.
Social Engineering Attacks: It is a network attack behavior that uses "social engineering" to implement. In computer science, social engineering refers to influencing others' psychology through legitimate communication to make them take certain actions or disclose confidential information. This is often considered a fraudulent way to collect information, commit fraud, and invade computer systems. Lazarus excels at applying social engineering techniques throughout the attack cycle, whether it is delivering bait or identity deception, making it difficult for victims to discern, thus falling into its trap. In 2020, Lazarus disguised as a recruitment of cryptocurrency personnel on LinkedIn and sent malicious documents, aiming to steal credentials to steal the target's cryptocurrency. In 2021, Lazarus lurked on Twitter as a network security personnel, opportunistically sending engineering files embedded with malicious code to attack peers.
Arsenal:
Lazarus uses a large number of custom tools in its network arsenal, and the code used has many similarities. It is certain that these software tools come from the same developers, indicating that Lazarus has a development team of a certain scale. Lazarus's attack capabilities and toolkits include DDoS botnets, keyloggers, RATs, wiper malware, and malicious code such as Destover, Duuzer, and Hangman.
2.2 Analysis of Typical Attack Events
Below is an analysis of a typical spear phishing attack by Lazarus targeting the cryptocurrency industry. Lazarus induces target employees to download malicious compressed files through email attachments or links.
Execution of the script execution program copied to the %public% directory, executing RgdASRgrsF.js
RgdASRgrsF.js is a typical two-stage script used by Lazarus, with a very simple function: generating a random UID, communicating with the server, and then looping to receive commands from the server and execute them. The commands executed are usually for collecting system information:
With this, the attack is complete, and the hacker can obtain the necessary files or sensitive information on the user's computer. Through analysis of Lazarus, it is evident that its current attack targets include government, military, finance, nuclear industry, chemical industry, medical, aerospace, entertainment media, and cryptocurrency, with a significant increase in the proportion of attacks on the cryptocurrency industry since 2017.
III. Money Laundering Pattern Analysis
Currently, the security events and losses from Lazarus's attacks in the cryptocurrency field are as follows:
Over $3 billion in funds have been stolen in network attacks by Lazarus. It is reported that the Lazarus hacker organization is supported by strategic interests of North Korea, providing funds for North Korea's nuclear and ballistic missile programs. In response, the United States has announced a $5 million reward for sanctions against the Lazarus hacker organization. The U.S. Department of the Treasury has also added related addresses to the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list, prohibiting individuals, entities, and related addresses in the United States from conducting transactions to ensure that state-sponsored groups cannot cash in on these funds, thus imposing sanctions. Ethereum developer Virgil Griffith was sentenced to five years and three months in prison for helping North Korea use virtual currency to evade sanctions. This year, OFAC also sanctioned three individuals associated with the Lazarus Group, including two sanctioned individuals, Cheng Hung Man and Wu Huihui, who facilitated over-the-counter (OTC) cryptocurrency trading for Lazarus, and the third individual, Sim Hyon Sop, provided other financial support.
Nevertheless, Lazarus has completed the transfer and laundering of over $1 billion in assets. Their money laundering pattern analysis is as follows. Taking the Atomic Wallet incident as an example, after removing the technical interference factors set by the hackers (a large number of fake token transfer transactions + multiple address splitting), the hackers' fund transfer pattern can be obtained:
Figure: Victim 1 fund transfer view in the Atomic Wallet incident
Victim 1 address 0xb02d…c6072 transferred 304.36 ETH to hacker address 0x3916…6340, which was split 8 times through intermediate address 0x0159…7b70 before being aggregated to address 0x69ca…5324. The aggregated funds were then transferred to address 0x514c…58f67, and the funds are currently still in that address, with an ETH balance of 692.74 ETH (worth $1.27 million).
Figure: Victim 2 fund transfer view in the Atomic Wallet incident
Victim 2 address 0x0b45…d662 transferred 1.266 million USDT to hacker address 0xf0f7…79b3, which the hacker split into three transactions. Two transactions were transferred to Uniswap, totaling 1.266 million USDT, and the other was transferred to address 0x49ce…80fb, with a transfer amount of 672.71 ETH. Victim 2 transferred 22,000 USDT to hacker address 0x0d5a…08c2, and the hacker used multiple intermediate addresses such as 0xec13…02d6 to aggregate the funds directly or indirectly to address 0x3c2e…94a8.
This money laundering pattern is highly consistent with the money laundering patterns in previous Ronin Network and Harmony attack incidents, all of which include three steps:
Consolidation and exchange of stolen funds: After launching the attack, the original stolen tokens are consolidated and swapped into ETH through dex and other means. This is a common way to avoid frozen funds.
Aggregation of stolen funds: The consolidated ETH is aggregated into several one-time wallet addresses. In the Ronin incident, the hackers used a total of 9 such addresses, Harmony used 14, and the Atomic Wallet incident used nearly 30 addresses.
Transfer of stolen funds: The aggregated addresses are used to wash the money out through Tornado.Cash. This completes the entire fund transfer process.
In addition to having the same money laundering steps, there is also a high degree of consistency in the details of the money laundering:
The attackers are very patient, using a week-long period for money laundering operations, starting the subsequent money laundering actions a few days after the incident.
Automated trading is used in the money laundering process, with a large number of transactions and short time intervals for most of the fund aggregation actions, following a uniform pattern.
Based on the analysis, we believe that Lazarus's money laundering pattern is typically as follows:
(1) Multiple account splitting and small, multiple asset transfers to increase tracking difficulty.
(2) Initiating a large number of fake token transactions to increase tracking difficulty. In the Atomic Wallet incident, 23 out of 27 intermediate addresses were found to be fake token transfer addresses. A similar technique was also discovered in the recent analysis of the Stake.com incident, but the previous Ronin Network and Harmony incidents did not have this interference technique, indicating an upgrade in Lazarus's money laundering technology.
(3) More use of on-chain methods (such as Tornado Cash) for coin mixing. In earlier incidents, Lazarus often used centralized exchanges to obtain startup funds or conduct subsequent OTC transactions, but recently, there has been a decreasing use of centralized exchanges, and it can even be considered as an avoidance of using centralized exchanges, which is likely related to recent sanction events.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
