Security researchers compiling evidence from multiple attacks on cryptocurrency exchanges attributed to a threat actor called CryptoCore have forged a strong connection with the state-sponsored North Korean group Lazarus.

The group is believed to have stolen hundreds of millions of dollars in the past three years by violating cryptocurrency exchanges in the US, Israel, Europe and Japan.

Long term mission to make money

Last year, cybersecurity firm ClearSky published a report on the financially motivated CryptoCore campaign that targeted cryptocurrency wallets from exchanges or their employees.

The campaign started in 2018 and relied on spear phishing to get started. At the time of this report, CryptoCore was responsible for at least five attacks that caused estimated losses of more than $ 200 million.

ClearSky believed the threat actor was linked to hackers in Eastern European countries like Ukraine, Russia and Romania.

According to ClearSky’s report, other cybersecurity organizations released results of their investigation into similar attacks and technical details that were consistent with CryptoCore’s tactics, techniques, and procedures:

  • A report by F-SECURE reviewing a large-scale international campaign found while investigating attacks on crypto wallets. According to the research report, the attackers started a conversation with their targets and convinced them to download a malicious file. The paper showed an analysis of the malware used in the attack and outlined similarities between them and malware attributed to LAZARUS.
  • A report by the Japanese CERT JPCERT / CC analyzing several incidents where employees of Japanese companies were contacted and persuaded to download malicious files. The report did not provide details on the parties involved, but it did include some technical information about the malware used in the attack.
  • A report by Japanese cybersecurity company NTT SECURITY pointing to a campaign they called CRYPTOMIMIC. According to the report, large sums of money were stolen from crypto wallets by contacting users and convincing them to download malicious files. The report included information about how the attack was carried out and a technical analysis of the malware used.

Appropriate tools and IoCs

In a new report today, ClearSky compared the details of these investigations with their results and found sufficient similarities to safely attribute the attacks to the same actor.

It is important to note that ClearSky accepted F-Secure’s attribution of the attacks to the Lazarus group after checking reports on Lazarus by ESET and Kaspersky to see if the company’s YARA rules for identifying and classifying malware for RATs (Remote Access Trojans) apply.

The YARA rule corresponds to the Lazarus RAT in the ESET report

ClearSky notes that the YARA rule matches an old RAT that Kaspersky reported in 2016 (bbd703f0d6b1cad4ff8f3d2ee3cc073c). However, this was only possible after changing the name of a resource that was different for the 2016 version of the backdoor.

The YARA rule corresponds to the Lazarus RAT used in 2016

In the old version, the malware accessed a file called “scaeve.dat”, while the newer version searched for “perflog.dat”. However, changing the file name resulted in the YARA rule finding a match.

Between reports from F-Secure, NTT Security, and JPCERT / CC, ClearSky found a total of 40 common compromise indicators (IoCs), a VBS script that was nearly identical if not obfuscated and matched RATs and stealers.

Lazarus VBS script used in several campaigns

Given the similarities between these researchers, ClearSky was able to attribute all medium to high security CryptoCore campaigns to the North Korean hacking group Lazarus.

The researchers also point out that the hackers expanded their activities when they recently focused on Israeli targets. It may be that hackers’ selection of victims is indiscriminate and their only criteria in choosing a target is that it fits a financial profile.