North Korean Hackers Most Likely to Have Been Behind the CryptoCore Heists
Security Researchers Have Attributed Multiple Attacks on Cryptocurrency Exchanges to CryptoCore.
CryptoCore is a hacking group that has pulled off cryptocurrency heists that may worth more than $200 million.
Security researchers are putting together pieces of information from multiple attacks on cryptocurrency exchanges, as the attacks started in 2018 and used spear-phishing as their principal MO in order to gain an initial foothold.
Last year alone, CryptoCore became responsible for at least five attacks and caused an estimated loss of more than $200 million.
The researchers at ClearSky are thinking that the threat actor was connected to hackers in Eastern European countries like Ukraine, Russia, and Romania and, following the report by ClearSky, multiple cybersecurity organizations have published the results of their investigations on similar attacks and technical details that aligned with the CryptoCore’s tactics, techniques, and procedures:
- F-SECURE researchers reviewed a large-scale, international campaign found while investigating attacks on crypto wallets, showing that the attackers started a conversation with their targets in order to convince them to download malicious files, therefore highlighting the similarities between them and malware attributed to LAZARUS.
- Another company, CERT JPCERT/CC also shared an analysis regarding several incidents in which employees of Japanese firms were contacted and convinced to download malicious files.
- NTT SECURITY researchers referenced a campaign dubbed as CRYPTOMIMIC, that functioned by stealing large sums of money from crypto wallets by contacting users and convincing them to download malicious files.
ClearSky released a new document in which they are comparing the details found in the abovementioned research and noticed a large number of similarities, therefore confidently being able to attribute the attacks to only one threat actor.
ClearSky accepted F-Secure’s attribution of the attacks to the Lazarus group soon after checking if the company’s YARA rules for identifying and classifying malware applied to remote access trojans (RATs) in reports about Lazarus from ESET and Kaspersky, as the sources matched with an old RAT that Kaspersky reported in 2016 (bbd703f0d6b1cad4ff8f3d2ee3cc073c).
It’s worth noting that in the old variant, the malware had accessed a file named “scaeve.dat,” and the newer one looked for “perflog.dat.”
A total of 40 common indicators of compromise (IoCs) were found, along with a VBS script almost identical when not obfuscated and matching RATs and stealers.
If all the similarities are taken into consideration, the researchers can attribute with medium to high confidence all the CryptoCore campaigns to the North Korean hacking group Lazarus.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The researchers also pointed out the fact that the hackers have expanded their activity as they started to focus on Israeli targets, this showing that the choice of victims might be indiscriminate and the hackers only criteria in selecting a target are for it to fit a financial profile.