SlowMist, a well-known cybersecurity platform, has recently exposed the notorious North Korea-based hacking team Lazarus Group’s malicious endeavors to exploit crypto exchanges. As per SlowMist, Lazarus Group has been utilizing advanced persistent threat techniques since June last year to intrude on digital asset entities, illegally transacting crypto assets and compromising wallets. In an exclusive report, SlowMist has explained the methods used by Lazarus to target crypto platforms.
SlowMist Highlights Social Engineering Tactics of Lazarus Group to Attack Crypto Entities
SlowMist’s report asserts that Lazarus Group leveraged social engineering tactics to trick employees into performing apparently authentic Python-based projects like “MonteCarloStockkInvestSimulator-main.zip” and “StockInvestSimulator-main.zip.” The respective files reportedly comprised backdoor programs leveraging the “pyyaml” module for the execution of remote code. They permitted hackers to circumvent antivirus detection to get control over the devices of the employees.
After securing access, the attackers escalated their privileges by exploiting Docker configurations. This enabled them to penetrate internal networks. Subsequently, they thoroughly scanned enterprise services to steal SSH credentials. Following that, they moved them laterally throughout systems. Hence, they ultimately seized control of the crypto wallets and took away funds.
Lazarus Group Has Been Leveraging Advanced Methods to Dodge Detection
In this procedure, the attackers used refined intrusion methods and cutting-edge techniques to prevent any detection. One of these techniques is the utilization of authentic project code. For this, they altered legitimate open-source investment simulation programs. In this way, they implanted malicious scripts to trigger unauthorized data withdrawal.
Apart from that, they also utilized reliable network pathways, extending their access within the enterprise mechanisms. Additionally, to avoid being detected, they eliminated logs, altered digital footprints, and utilized genuine enterprise tools like proxies to carry out operations. Moreover, they pretended to be investment specialists and project developers, providing incentives to employees for running malware-laden files.
Cybersecurity Firm Recommends Latest Implementations to Confront Attackers Like Lazarus Group
Following conducting a thorough research, SlowMist has shared the chief indicators of compromise (IOCs). They include IP addresses, attacker domains, as well as GitHub accounts that the exploiters use to proliferate malware. The cybersecurity company has encouraged worldwide security teams to examine their networks to detect such malicious indicators. To eliminate such refined threats, the platform has recommended several implementations. One of them is zero-trust security mechanisms. Additionally, it also advised using improved network traffic monitoring and DNS, isolation and segmentation of crucial systems, centrally controlled log management to conduct anomaly detection, and regular training for security awareness.
