Group-IB observed the North Korea-linked Lazarus APT group stealing cryptocurrency using a never-before-seen tool.
The Group-IB Threat Intelligence team looked deeper into these campaigns and identified another campaign involving the same infrastructure. The threat actor went back to the old habit of stealing crypto using a never-before-seen tool. Lazarus attacked online stores which accept cryptocurrency payments through crypto skimmers: JS-sniffers modified for the purpose of stealing crypto currency. Some victims, identified by Sansec, in fact, didn’t fell prey to the clientToken= campaign, but to a different, previously undocumented Lazarus campaign, codenamed BTC Changer by Group-IB researchers. Group-IB’s TI&A team identified BTC addresses used by Lazarus and have analyzed the transactions. Group-IB found additional evidence of Lazarus involvement in the campaigns.
Group-IB researchers analyzed the newly discovered attacks, described the links with the clientToken= campaign, analyzed the transactions associated with the wallets controlled by the gang, and estimated Lazarus’ profits from the use of crypto-stealing JS-sniffers at 0.89993859 BTC ($8,446,55 at the moment of the transaction and $52,611 as of April 9, 2021) and 4.384719 ETH, ($9,047 as of April 9, 2021).
Fig. 1: Snippet of source code for Lazarus BTC Changer
Analysis of Lazarus BTC Changer campaign
While analyzing Lazarus BTC Changer, we identified three compromised websites, two of which were listed in Sansec’s article as victims of the clientToken= campaign: “Realchems” (https://realchems.com/) and “Wongs Jewellers” (https://www.wongsjewellers.co.uk/). In the case of Wongs Jewellers, we identified a sample of Lazarus BTC Changer on their website, but we did not find any evidence that the shop accepts cryptocurrency, so the attackers probably added Lazarus BTC Changer to the website by mistake. The third victim is an Italian luxury clothes shop, but malicious code was removed from the website at the moment of analysis.
Fig. 2: Lazarus BTC Changer sample with BTC and ETH addresses
In late March 2020, the attackers added a fake web payment form to their arsenal. The form opens in an iframe element.
Fig. 3: Lazarus BTC Changer with a fake payment form
The fake form (Figure 4) asks that the payment be made directly to the BTC address controlled by the hackers (1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he). Despite the fact that the form mentions one particular target (Realchems), the attackers used the same fake form in the samples injected into the source code of the other two target websites.
Fig. 4: Fake payment form, which opens in an iframe element
Fig. 5: Source code of fake payment form with Korean text
Analysis of BTC transactions
The four cryptocurrency addresses extracted from the Lazarus BTC Changer samples used by the attackers to receive stolen funds are:
Group-IB analyzed the transactions associated with the BTC addresses controlled by Lazarus and discovered that the adversaries most likely used CoinPayments.net. An analysis of money transfers from the attackers’ BTC addresses, extracted from the Lazarus BTC Changer samples, to the address 35dnPpcXMGEoWE1gerDoC5xS92SYCQ61y6 revealed three transactions to BTC wallets allegedly owned by CoinPayments.net. CoinPayments.net is a payment gateway that allows users to conduct transactions involving Bitcoin, Ethereum, Litecoin, and other cryptocurrencies. As such, Lazarus may have used it to facilitate cryptocurrency exchanges and transfers to external cryptocurrency addresses. The website’s KYC (Know Your Customer) policy could theoretically help identify individuals behind these attacks.
ANALYSIS OF WALLETS
At the time of withdrawing cryptocurrency from the extracted BTC addresses, the attackers transferred 0.89993859 BTC ($8,446,55 at the moment of the transaction and $52,611 as of April 9, 2021). The two main BTC addresses (1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt and 1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he) used to steal funds received 43 transactions while the Lazarus BTC Changer campaign was active. The address 1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evta was not active during the Lazarus BTC Changer campaign because there were only one incoming and one outgoing transactions associated with this address on January 7, 2020, two months before the Lazarus BTC Changer campaign began. The ETH address received 29 incoming transactions, with a total profit of 4.384719 ETH, ($9,047 as of April 9, 2021). This ETH address had been active since July 11, 2019, however, and could have been used during other operations conducted by the hackers. It is therefore impossible to determine the transactions which resulted from the Lazarus BTC Changer campaign.
|Avg. incoming transaction amount||0.151197 ETH|
|Total income||4.384719 ETH|
|Avg. incoming transaction amount||0.021608 BTC|
|Total income||0.669837 BTC|
|Avg. incoming transaction amount||0.022420 BTC|
|Total income||0.269044 BTC|
|Avg. incoming transaction amount||0.015110 BTC|
|Total income||0.015110 BTC|
ANALYSIS OF OUTGOING BTC TRANSACTIONS
We tracked all outgoing transactions from the BTC addresses used by the attackers and extracted from Lazarus BTC Changer samples. We found that all stolen funds were transferred to a single address (35dnPpcXMGEoWE1gerDoC5xS92SYCQ61y6) as a result of transaction a929c7 (https://www.blockchain.com/btc/tx/a929c7d3b7ae58eb5b833460017016267f7ac66cbd16ad0 b4c4d4c9b3f50406a). From this point onward, we used a short form of transaction IDs instead of full IDs because of the length. Let’s take a look at how all funds were transferred before this transaction.
Fig. 6: Transactions from the BTC addresses used by the attackers before withdrawal in the transaction a929c7
The address 1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evta was used in two Lazarus BTC Changer samples, but in this case the attackers were not successful: while samples with this BTC address were detected in late March 2020, all the funds from this address were transferred on January 7, 2020, which means that either the attackers did not receive any money using samples involving this address, or the funds from this address were transferred after the previous attacks. However, in January 2020 all the funds from this address were transferred during transaction d64045 (https://www.blockchain.com/btc/tx/d64045015d066aaa0187e822eebbe25437785d5c56be1a 3fdcf3b77e99d324a7) to addresses 3Gud3MyyNyJvUEfaqvF3dYnYUGvxYGhvzb (which, according to multiple wallet explorers, helps attribute wallets and transactions to particular crypto services; this address is part of CoinPayments.net) and 15ddzs7zA59cNt3m2YsErRzVamueWTTkTZ, which was one of the source addresses in transaction a929c7.
The address 1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he was found in four samples used in the Lazarus BTC Changer campaign, including three samples which used fake iframe payment forms. On April 5, 2020 the funds from this address were transferred to two addresses as part of transaction 5b3b34 (https://www.blockchain.com/btc/tx/5b3b34e8fdb642b028361799df5ac3955f38653f746f98c67 183b2c62dbfb9ef): 3JnxmN6aCwhPc1cWd17ka6n7KFNbiYYRiz (which, according to multiple wallet explorers, is part of CoinPayments.net) and large part of the funds was sent to 1MrYhKvRiScuFPRb9ybuJzrrGX8BzR9u9r. Five days later on April 10, 2020 the funds from 1MrYhKvRiScuFPRb9ybuJzrrGX8BzR9u9r were sent again as part of transaction a305ae (https://www.blockchain.com/btc/tx/a305aee9b7916ae34cefe9d3b2665271e027af52fdf57d6e 4d3e02658760e456) to one of supposed CoinPayments.net addresses (3A6BbxFAYGj4zgcbBUatLeVxvqSDV4nQfV) and a large part of the funds was sent to 1HDMJ42anvW97ib2awZkzSQsCjR7uxLD79, which was one of source addresses during the main withdrawal of the stolen funds.
The address 1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt used in one of the malware samples was the most closely connected with the main withdrawal in transaction a929c7: this address was one of the source addresses for this transaction.
Besides these three transfers from the addresses used by the attackers, there was a fourth BTC address, which was the source in transaction a929c7 1KYjujKXcXw9mPrCr5HadY2DWCmo6aMrY9. However, we did not identify any malware samples or other malicious activity associated with this address and other related addresses.
During the investigation, we identified three transactions as part of which a small part of the funds was transferred to BTC addresses presumably owned by CoinPayments.net according to multiple public wallet explorers. Based on this pattern, we can suppose that attackers possibly use CoinPayments.net as a payment gateway and a small part of funds in each of these transactions is the website’s commission for payment.
During transaction a929c7, the funds were sent to the address 35dnPpcXMGEoWE1gerDoC5xS92SYCQ61y6 on May 17, 2020 at 00:03. Thirty-four minutes later, the funds from this address were transferred to two BTC addresses as part of transaction 8ad539 (https://www.blockchain.com/btc/tx/8ad539d33b3a9bcbc777ff252eb125c389d761c491750b4 2ef2d67d90047337d): the larger part was sent to bc1qhs5extg53a44wcj9kfuvjvnqnv3dhpsadacttd and the other part to bc1qkjx7gm7enumq7ektxyk54l7zww45fxsk25eggw. From the addressbc1qhs5extg53a44wcj9kfuvjvnqnv3dhpsadacttd, the funds were sent to other two addresses as part of transaction 6acd59 (https://www.blockchain.com/btc/tx/6acd5930f026c8163c1a742b7229acbceff7f9d317b9328f5 736476e5f6b5692): 0.45641878 BTC to 38r5HQigv4Yh5ETwhYV8HwZwBbvThwSmfH and 0.38125138 BTC to 1FWhm95L6Nh2eqKKS5uKsXeAFeYB4yHegm.
Further investigation didn’t provide any useful connections between the BTC addresses and public cryptocurrency services, so it is unclear where the funds were subsequently transferred.
Fig. 7: Transactions after withdrawal from all BTC addresses used by the attackers
Group-IB Threat Intelligence team identified a supposed payment gateway that was used in several transactions involving the stolen funds. The website’s KYC policies can theoretically help identify individuals behind the Lazarus BTC Changer campaign.
Group-IB researchers believe that after the gang successfully tested new tools on small e-commerce stores, it will be able to switch to more prominent targets for bigger gains.
Recommendations provided by the experts to prevent this kind of attacks are available at the original post:
Original post: https://www.group-ib.com/blog/btc_changer
About the author: Victor Okorokov
Lead Threat Intelligence analyst at Group-IB
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Lazarus)