Lazarus E-Commerce Attackers Also Targeted Cryptocurrency

Cryptocurrency Fraud, Cybercrime, Cyberwar / Nation-State Attacks

Magecart-style attacks included Bitcoin’s capture functionality, Group-IB reports

Mathew J. Schwartz (euroinfosec) •
April 15, 2021

Fake payment form, which opens in an iFrame element, discovered in Magecart-style attacks attributed to Lazarus (Source: Group-IB)

According to cybersecurity firm Group-IB, hackers with apparent ties to North Korea who hit e-commerce stores in 2019 and 2020 to steal payment card data have also tested the crypto-theft feature. cash.

See also: Live Webinar | A buying guide: what to consider when evaluating a CASB

Group-IB’s new report builds on findings released in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and in many cases also malware was being used for attack campaigns of type Magecart which had previously been assigned to the Lazarus group.

Lazarus – aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names – refers to a group of hackers apparently linked to the Pyongyang-based government, officially known as the Democratic People’s Republic of Korea. , directed by Kim Jong-Un (see: North Korean hacking infrastructure linked to Magecart hits).

Magecart-type attacks refer to criminals who steal payment card data using so-called digital card skimming or scraping tools – aka JavaScript sniffers – which they inject into e-commerce sites. victim organizations. Victims of such attacks include British Airways, jewelry and accessories retailer Claire’s and Ticketmaster UK, among thousands of others.

The diagram shows a subset of Hidden Cobra-controlled victim stores (in green) and exfiltration nodes (in red), as well as (in yellow) a unique identification modus operandi – that is, tell tactics, techniques and procedures. (Source: Sansec, July 2020)

Sansec is one of the many companies that search the web for signs of Magecart attacks. Last year, he noted that while Magecart’s early attacks came largely from Russian and Indonesian gangs, North Korea’s cash-strapped government appeared to have joined the fray, bringing a greater degree of sophistication. , no doubt in pursuit of large sums.

Discovery: Lazarus BTC Changer

Group-IB claims that after examining the attack campaign uncovered by Sansec, it also found signs that the attackers had experienced not only payment card data theft, but cryptocurrency as well.

Group-IB reports that it found the same infrastructure in use, as well as a modified version of the same JavaScript sniffer – aka JS-sniffer – that Sansec describes in its report. Group-IB has christened the Lazarus BTC Changer cryptocurrency targeting campaign.

“Combined with the gang’s track record of pursuing crypto, the campaign allows the attacks to be attributed to Lazarus with a high level of confidence,” said Victor Okorokov, senior threat intelligence analyst at Group-IB, in the research report.

But the cryptocurrency targeting campaign only appeared to hit a few targets. “During the analysis of Lazarus BTC Changer, we identified three compromised websites, two of which were listed in the Sansec article as victims,” which are Realchems and Wongs Jewelers, he says.

Click to enlarge: Lazarus BTC Changer sample with hard-coded bitcoin and ethereum wallet addresses (Source: Group-IB)

“In the case of Wongs Jewelers, we identified a sample of Lazarus BTC Changer on their website, but we couldn’t find any evidence that the store accepts cryptocurrency, so attackers likely added Lazarus BTC Changer to the site. Web by mistake, ”he says. . “The third victim is an Italian luxury clothing store, but the malicious code was removed from the website” before researchers could analyze it.

Stolen funds routed through CoinPayments?

The attackers appear to have stolen relatively little cryptocurrency through the sites’ clients: just $ 9,000 in ethereum and $ 8,400 in bitcoin, Group-IB reports.

Group-IB claims that these stolen funds appeared to have been channeled to bitcoin cryptocurrency wallets believed to be owned by, “a payment gateway that allows users to perform transactions involving bitcoin, ethereum, litecoin, and other crypto. -coins “. Lazarus may have used the site to launder stolen funds by moving them to other cryptocurrency exchanges or wallets.

The cybersecurity company notes that CoinPayment’s ‘know your customer’ policy could help identify who initiated the transactions. The Service User Agreement states that individuals certify that they do not operate in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.

A spokesperson for CoinPayments told Information Security Media Group: “I don’t know if there are any linked wallets or not, but we wouldn’t be able to comment on a user’s personal information outside of the channels. legal due to privacy laws. “

Was it an essay?

Given the scale of this cryptocurrency targeting operation, Group-IB claims what it has discovered appears to have been a small-scale test, adding that the Lazarus Group often performs smaller trials before launching. larger campaigns.

“Users of illicit underground markets appear to be likely targets, where cryptocurrency is the only currency.”

—Viktor Okorokov, Group-IB

“The amount of money stolen was relatively small due to the fact that the Lazarus BTC Changer campaign only targeted three small e-commerce stores that remained infected for a limited period – less than three months,” Okorokov told ISMG. “However, the campaign marks the first time Lazarus has used malicious JS sniffers to steal cryptocurrency. This is certainly something that deserves attention as the technique has all the potential to grow in scale and sophistication,” given the gang’s continued cryptocurrency hunt. “

How many e-commerce sites accept cryptocurrency?

When attackers target payment cards, they can often monetize the effort by selling stolen card data on cybercrime forums and markets. Why would hackers bother targeting the small number of sites that accept cryptocurrency, or individuals willing to pay using virtual currencies?

“Cryptocurrency payments are not as prevalent as traditional credit cards in the e-commerce industry. Nonetheless, many major websites accept cryptocurrency and such attacks can gain momentum, and other gangs can adopt Lazarus’ new technique, ”Okorokov explains.

Additionally, he says, if an attacker takes control of an e-commerce website’s payment portal, he could easily add the ability to pay via cryptocurrency, with the caveat that he would spill over. immediately in a wallet controlled by the attacker.

“Opponents can attack users of the targeted business to steal the cryptocurrency from them directly – not the business – by creating fake payment forms or overriding payment details” to route payments to their own wallets, says Okorokov.

Another prime target would be cybercrime marketplaces and forums – many of which are now hosted on the darknet or dark web, meaning they can only be reached using the anonymous Tor browser – which doesn’t facilitate often as payments between buyers and sellers using bitcoin or monero (see: Led by Hydra, Darknet Markets achieved record revenues).

“Users of illicit underground markets appear to be likely targets, where cryptocurrency is the only currency,” Okorokov said. “However, attacks against users of legitimate cryptocurrency exchanges are also possible.”

Previous RedCloud Launches B2B Open Commerce Platform in Mexico
Next Internet of Things: Business Ecosystem - The Himalayan Times - Nepal's No.1 English Daily Newspaper

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *