A Threat Actor Targeting Cryptocurrency Exchanges-lazarusholic

A Threat Actor Targeting Cryptocurrency Exchanges

2020-06-24, Clearskysec
https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
CryptoCore_Group.pdf, 1.5 MB
#Cryptocurrency #CryptoCore #Whitepaper

June 2020

CryptoCore
A Threat Actor Targeting Cryptocurrency Exchanges

June 2020
_____________________________________________________________________________________________________________________
C) 2020 All rights reserved to ClearSky Security Ltd. [email protected] www.clearskysec.com
TLP: White

Page | 1

June 2020

Table of Contents
Cryptocurrency Exchanges Targeted by the CryptoCore Group ..........................................................................3
Background .............................................................................................................................................................3
Introducing CryptoCore .............................................................................................................................................4
Attribution ...............................................................................................................................................................4
Modus Operandi .....................................................................................................................................................4
Cyber Kill Chain .......................................................................................................................................................5
CryptoCore Group’s Main Characteristics ...........................................................................................................6
Persistence and adherence to same general TTPs and targets..........................................................6
Use of Cloud services, particularly – but not limited to – Google Drive.............................................6
Use of malicious cryptocurrency-themed domains .............................................................................6
Use of bit.ly URL shortening service .......................................................................................................6
Use of LNK shortcuts as downloaders ....................................................................................................6
Use of Visual Basic Script (VBS) files .......................................................................................................6
Swiftness and responsiveness .................................................................................................................6
CryptoCore Infrastructure Insights: ..........................................................................................................................7
CryptoCore Working Time Zone ..............................................................................................................7
CryptoCore operators use dedicated IP addresses ..............................................................................7
C&C TLD to Registrar & Nameserver Distribution .................................................................................7
Anomalous Registration of multiple C&C Domains in 3 Days .............................................................8
CryptoCore operators re-register expired C&C domains .....................................................................8
Use of DDNS services till 2019 ..................................................................................................................8
Infection Chain ............................................................................................................................................................9
CryptoCore TTPs .........................................................................................................................................................9
CryptoCore in action: Case Study ...........................................................................................................................13
CryptoCore Digital Infrastructure - Graph .............................................................................................................15
IOCs .............................................................................................................................................................................16

_____________________________________________________________________________________________________________________
C) 2020 All …

IoC

00ba843f8d6dcb8bbc5b22c3288e8a3e
034c0ad0de6464db26a54620d28382cb
059bde35d1f07a4af75a7e2cbdd73380
093eae51bd7566c40d646c1b37bce0ea
097698566d9c88a520e0d5459566a6b1
09bca3ddbc55f22577d2f3a7fda22d1c
0a512f11ab114c91dadcd5ca9cea63b8
0bc0ed48bb02e5d08d5549b59ff1105a
0c9170a2584ceeddb89e4c0f0a2353ed
0dc133b5b06b454d9777b552e84f1f4e
0e529999ed0a329c39a2fbdda3458b74
0eb71e4d2978547bd96221548548e9f0
0efd61f2ed379a5ae43c39333196d178
104.168.137.213
125.100.175.62
128.201.64.194
140.117.91.22
140.136.134.201
1439d13eee4b43501bfadbe40da1e1f6
145.108.194.10
146827291a77c6d85ec53f18e371a03c
15f1ae1fed1b2ea71fdb9661823663c6
16be84684b3cbcde54b45315164bdd23
16fe7f469b46cd01f35dff21a5cdf5fd
170a96fd6fb606a56474e2fc716d91bb
17d97dca939836fe4eeb61eac371960f
181.193.82.122
185.45.28.182
186.232.112.25
190.81.34.163
190.85.159.46
191.215.16.82
192.183.29.182
192.48.29.14
197.44.198.211
197.51.50.158
199.66.91.106
1a8282f73f393656996107b6ec038dd5
202.39.61.57
203.144.133.42
203.151.166.13
209.208.109.38
210.212.148.30
220e32ff140ef5f0fdef71b5b82b3a48
23.254.144.139
23.65.190.86
23949657ccb9913f746bd777017eca17
244a23172af8720882ae0141292f5c47
2888f852a8a90e16aa72282fad6eb16e
2d27e4aa3315c7b49ce5edd1a3fb5485
2ea2ceab1588810961d2fc545e2f957e
3078265f207fed66470436da07343732
318285813e4665c80be08db657c2bd4c
36ad2e8ac0ec506fe582c14ba5713cd5
3812cdc4225182326b1425c9f3c2d50b
3b6a9b2cbb4874c551929c2b530412ab
3e9b52e3b90ac45ac5ddb9c91615c7ae
41.85.145.164
4274e6dbc2b7aee4ef080d19fff47ce7
427bdfe4425e6c8e3ea41d89a2f55870
45123dac5e13cebe1dc7fc95afd9c63e
4668e0de731ea41243c5bce6ea506309
47c91edfe71fe31801a86ea97cf5a42c
5241c8bf6be44eea9c9c45ef2dcf3867
53b800066811b7668e59774bd4c763ca
561f70411449b327e3f19d81bb2cea08
56fe283ca3e1c1667191cc7764c260b6
59.120.122.35
59.127.150.197
5bb049c31f5fb8c4a076def3efb91177
5d662269739f1b81072e4c7e48972420
5ebdfa1bf92d8075f53427531567fbf7
62.201.228.179
629f6a17bea4c386aee3dfec2ed6ec2c
64272932a09b818a818e965aafc579ab
66.181.166.11
66.181.166.15
68.232.175.188
69.64.54.215
6af21f0bdefb55a4219fd4c25674ba67
70.184.87.103
753959ab347cc43af439cb3eb36e8caa
78.94.213.101
786e61e00c33175cc9ed9b7b99d166d4
797adc31b6370ca50318ae342d692ad6
7a83be17f4628459e120a64fcab70bac
7cd7604ddfa4eb0caf7c878c8fdf617f
7d5c259d422310218a8888ec1ce65e92
7d9d91748258e35176386497765dbc00
83bac6075fe0d21eea6c9942b2738a1e
8468a0bae15202a634ac48e56724edbe
850751de7b8e158d86469d22ad1c3101
874ef600af0a8b88ca5c937d140ea8c5
88.204.166.59
88349b3e7e2e61a8dc3d0fc02e461c7e
8b7350ac6d069e77fb63b3cee3df31a8
8cb554127837a4002338c10a299289fb
8cc8bdc017b103f4dbd00e6336809594
91.140.255.62
91.98.251.208
92aa224af7d71c9fc162fdb6ce53bc5b
92b9808028e5d7019c29ea41df162db4
97e2ce9d86c1c99619a343b69e447d02
97fd02ae666988d853a68fdd7f7d2e7f
9aa464cc5f50b3db260a0d2ec9e74ead
9b4df98a975b622c456c7f8e2001628f
9b694c70494d968c319566f72f358fd3
a0d98d01ed78fd66494138ac155c56c1
a1c607fe90eecdb3dafea82bb7a089b4
a929b7eb37a7fa26dc59c1fee364ec65
a9c5355fce2bd42e5cb3cd1fe6c375f1
[email protected]
b33cade6a8c03e94a7d06306c7cfc36b
b8406b91b0eb57267f192a1aee6d3ee0
b85879c0a463dddc3a98c91c9cd52934
bd191dac5e16ec6db262b92b3f4f2556
bd1cf2404e0d03d6256ce333e97af25a
c509890d250d6e986e3c3654aa5cea26
c5d9a6478b9b68c213301cb81cbd3833
c869b0fe739d0626e4474eea980dd018
cc7d27698488a80f9fc35341d31ef872
cd0a391331c1d4268bd622080ba68bce
ce09cdb7979fb9099f46dd33036b9001
ce9030dd0ce0c3872f5b59088e9a3362
cf1bc39380f40a514aa82e4db6215b11
d0c500c37ae9f9e3657d26272722b997
d3d32225bf893ccc62dee9d833fe04f2
d41f422a621b097b949e1540e48d5f58
d73499bc6b500b4fc5648943e12ce9e2
d7748383f7c1c8a198da473a5f5842fa
d7b8c3c986495a814c9b8bd10d3f5eef
da599b0cde613b5512c13f299fec739e
da6a366750e77d3e24126e0a69379c42
db3c54038e0b2db2c058a5e9761e4819
dbbe0311788f525b2163fb510ca8f22a
de762f4e393af735609cf2e08f56ee7b
e2dd0bf4bdf8d51954c7c8a924571d3c
e6e64c511f935d31a8859e9f3147fe24
e7d42e055708a6659661370b99f516d1
e91de2e139d6560f5a81016d46d03db3
e9b4c4ec893a15f23524766764b696c6
eab491a31d4f049695c0aa515a0d90b6
ebe8b4bdf1536a788afa6ab67ad9e53c
ee15bec0e9ba39f186d721515efd6a00
f0a92e7d0a8eb7a85003a316704c9812
f3b7eaf965e30bef2d5ef1ee1bb6634b
fe9f9f690943047e1f877644cb6d4648
feccea47b97e78f2d6c4271da3f565c4
ff9ee83f13bd8167d9ba780b2a147668
http://104.168.137.213
http://125.100.175.62
http://128.201.64.194
http://140.117.91.22
http://140.136.134.201
http://140.136.134.201:8080/open?topic=
http://145.108.194.10
http://181.193.82.122
http://185.45.28.182
http://186.232.112.25
http://190.81.34.163
http://190.85.159.46
http://191.215.16.82
http://192.183.29.182
http://192.48.29.14
http://197.44.198.211
http://197.51.50.158
http://199.66.91.106
http://1driv.org
http://1drv.email
http://1drvmail.work
http://202.39.61.57
http://203.144.133.42
http://203.151.166.13
http://209.208.109.38
http://210.212.148.30
http://23.254.144.139
http://23.65.190.86
http://41.85.145.164:8080/open?topic=
http://59.120.122.35
http://59.127.150.197
http://62.201.228.179
http://66.181.166.11
http://66.181.166.15
http://68.232.175.188
http://69.64.54.215
http://70.184.87.103
http://78.94.213.101
http://88.204.166.59
http://91.140.255.62
http://91.98.251.208
http://amazonaws1.info
http://amzonnews.club
http://armzon.onmypc.org
http://blackwell.tekstar.us
http://blockchaintransparency.ins
http://blockchaintransparency.institute
http://btcprime.itsaol.com
http://btcprime.tk
http://bugscrowd.com
http://chromeupdate.publicvm.com
http://cloudfiles.club
http://cloudocs.space
http://cloudsecure.space
http://coindeck.onmypc.org
http://coinnews.onmypc.org
http://coinomic.itsaol.com
http://connsec.publicvm.com
http://ddsvr.itsaol.com
http://decurret.site
http://digifincx.com
http://dns-cloud.net
http://drivegmail.top
http://drivegoogle.org
http://drivegoogle.publicvm.com
http://drivegooglshare.xyz
http://drivegooogle.publicvm.com
http://esosv.itemdb.com
http://euprotect.net
http://europegdprsec.onmypc.org
http://eusharesrv.onmypc.org
http://excinfo.itemdb.com
http://fcloudshare.xyz
http://filecloud.website
http://financialmarketing.live
http://gdrive.onmypc.org
http://gdriverfileshare.com
http://gdrives.best
http://gdrives.top
http://gdriveshare.top
http://gdriveshareslink.xyz
http://gdriveupload.info
http://gdriveupload.site
http://gdrvauth.cloud
http://gdrvcheck.co
http://gdrvshare.site
http://gdrvup.xyz
http://gdrvupload.xyz
http://gmaildrive.info
http://gmaildrive.site
http://gmaildriver.info
http://gogleshare.xyz
http://goglesheet.com
http://googldocs.org
http://googldrive.xyz
http://googleapis.online
http://googleauth.pro
http://googlecloud.live
http://googleclouddrive.com
http://googlecstorage.com
http://googledrive.download
http://googledrive.dynu.net
http://googledrive.email
http://googledrive.linkpc.net
http://googledrive.network
http://googledrive.online
http://googledrive.publicvm.com
http://googledriver.info
http://googledriver.net
http://googledriver.xyz
http://googledriveshare.com
http://googledrv.com
http://googleexplore.net
http://googlefiledrive.com
http://googlefileshare.com
http://googleshare.org
http://googleupdate.publicvm.com
http://googleupload.info
http://krypitalvc.com
http://ledgerservice.itsaol.com
http://liveonedrvshare.xyz
http://matrixpartners.theworkpc.com
http://microsoftapp.life
http://mpksl.publicvm.com
http://mskpupdate.publicvm.com
http://msupdate.publicvm.com
http://msupdatepms.xyz
http://navicheck.xyz
http://onedrivecloud.store
http://onedriveglobal.com
http://onedrivems.online
http://onedriveupdate.publicvm.com
http://onedrivrshares.xyz
http://onedrvdn.co
http://onedrvfile.site
http://ownemail.me
http://privacyshield.services
http://provemail.net
http://secureshares.online
http://sendspace.buzz
http://sevicebill.itemdb.com
http://sharedrivegght.xyz
http://sharegoogldrive.online
http://sharesdown.xyz
http://showprice.xyz
http://termsofservice.onmypc.org
http://tokenomic.itsaol.com
http://twosigma.publicvm.com
http://uploadsfiles.xyz
http://vpset.onmypc.org
http://vpsfree.linkpc.net
http://wechart.org
http://windrvupdate.kozow.com