APT Group Targeting Cryptocurrency Industries — Debunked
Contents
APT Group Targeting Cryptocurrency Industries — Debunked
By: Athul Harilal (Security Researcher) and Nobel Tan (Head of Engineering & Product)
In this article, we summarize our findings of an APT (Advanced Persistent Threat) group targeting multiple enterprises in the cryptocurrency domain. The APT group uses spear phishing techniques via email to get a foothold on the victim machine that results in downloading multiple payloads from the phishing or C2 server to exfiltrate information. Our findings show that APT group uses separate infrastructure for hosting phishing and C2 servers, which have links to DPRK based Lazarus APT group and CryptoCore APT group involved in compromising multiple cryptocurrency exchanges. We have shared IOC findings in this research to interested individuals.
Modus Operandi of the APT Group
From our investigation, we uncovered 4 stages of operation used by the threat actor group to infect and exfiltrate information from victim machines.
Stage 1: As shown in Fig 1, cryptocurrency …
By: Athul Harilal (Security Researcher) and Nobel Tan (Head of Engineering & Product)
In this article, we summarize our findings of an APT (Advanced Persistent Threat) group targeting multiple enterprises in the cryptocurrency domain. The APT group uses spear phishing techniques via email to get a foothold on the victim machine that results in downloading multiple payloads from the phishing or C2 server to exfiltrate information. Our findings show that APT group uses separate infrastructure for hosting phishing and C2 servers, which have links to DPRK based Lazarus APT group and CryptoCore APT group involved in compromising multiple cryptocurrency exchanges. We have shared IOC findings in this research to interested individuals.
Modus Operandi of the APT Group
From our investigation, we uncovered 4 stages of operation used by the threat actor group to infect and exfiltrate information from victim machines.
Stage 1: As shown in Fig 1, cryptocurrency …
IoC
128.201.64.194
140.117.91.22
203.144.133.42
66.181.166.15
http://128.201.64.194
http://140.117.91.22
http://203.144.133.42
http://66.181.166.15
http://blockchaintransparency.institute
http://digifinex.com
http://privacyshield.services
https://forum.mikrotik.com/viewtopic.php?t=137270
140.117.91.22
203.144.133.42
66.181.166.15
http://128.201.64.194
http://140.117.91.22
http://203.144.133.42
http://66.181.166.15
http://blockchaintransparency.institute
http://digifinex.com
http://privacyshield.services
https://forum.mikrotik.com/viewtopic.php?t=137270