Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)
Contents
May 2021
Attributing Attacks Against Crypto
Exchanges to LAZARUS – North Korea
May 2021
_____________________________________________________________________________________________________________________
C) 2021 All rights reserved to ClearSky Ltd. [email protected] www.ClearSkysec.com
TLP: White
1
Page |
May 2021
Table of Contents
Research Methodology ..............................................................................................................................................3
STEP ONE - Finding Similarities Between the Four Research Papers .................................................................7
Comparing ClearSky’s research to F-SECURE and JPCERT/CC .......................................................................7
Comparing F-SECURE’s and NTT SECURITY’s reports ....................................................................................10
STEP TWO - Reaffirming F-SECURE’s attribution of the attacks to Lazarus .....................................................15
_____________________________________________________________________________________________________________________
C) 2021 All rights reserved to ClearSky Ltd. [email protected] www.ClearSkysec.com
TLP: White
2
Page |
May 2021
Abstract
CryptoCore is an attack campaign against crypto-exchange companies that has been ongoing for three
years and was discovered by ClearSky researchers. This cybercrime campaign is focused mainly on the
theft of cryptocurrency wallets, and we estimate that the attackers have already made off with hundreds
of millions of dollars.
This campaign was also reported by additional companies and organizations, including JPCERT/CC1,
NTT Security2 and F-SECURE3. The campaign is also known as CryptoMimic, Dangerous Password and
Leery Turtle.
In our report we attributed this …
Attributing Attacks Against Crypto
Exchanges to LAZARUS – North Korea
May 2021
_____________________________________________________________________________________________________________________
C) 2021 All rights reserved to ClearSky Ltd. [email protected] www.ClearSkysec.com
TLP: White
1
Page |
May 2021
Table of Contents
Research Methodology ..............................................................................................................................................3
STEP ONE - Finding Similarities Between the Four Research Papers .................................................................7
Comparing ClearSky’s research to F-SECURE and JPCERT/CC .......................................................................7
Comparing F-SECURE’s and NTT SECURITY’s reports ....................................................................................10
STEP TWO - Reaffirming F-SECURE’s attribution of the attacks to Lazarus .....................................................15
_____________________________________________________________________________________________________________________
C) 2021 All rights reserved to ClearSky Ltd. [email protected] www.ClearSkysec.com
TLP: White
2
Page |
May 2021
Abstract
CryptoCore is an attack campaign against crypto-exchange companies that has been ongoing for three
years and was discovered by ClearSky researchers. This cybercrime campaign is focused mainly on the
theft of cryptocurrency wallets, and we estimate that the attackers have already made off with hundreds
of millions of dollars.
This campaign was also reported by additional companies and organizations, including JPCERT/CC1,
NTT Security2 and F-SECURE3. The campaign is also known as CryptoMimic, Dangerous Password and
Leery Turtle.
In our report we attributed this …
IoC
1439d13eee4b43501bfadbe40da1e1f6
17d97dca939836fe4eeb61eac371960f
2d27e4aa3315c7b49ce5edd1a3fb5485
3e9b52e3b90ac45ac5ddb9c91615c7ae
45123dac5e13cebe1dc7fc95afd9c63e
5bb049c31f5fb8c4a076def3efb91177
629f6a17bea4c386aee3dfec2ed6ec2c
66.181.166.15
7d5c259d422310218a8888ec1ce65e92
83bac6075fe0d21eea6c9942b2738a1e
8b6887c5ec6fadaefee78f089e9a347a539bcedf52f5827f866a49a1839f8c4b
a9c5355fce2bd42e5cb3cd1fe6c375f1
b8406b91b0eb57267f192a1aee6d3ee0
bbd703f0d6b1cad4ff8f3d2ee3cc073c
c509890d250d6e986e3c3654aa5cea26
c5d9a6478b9b68c213301cb81cbd3833
c869b0fe739d0626e4474eea980dd018
cd0a391331c1d4268bd622080ba68bce
d0c500c37ae9f9e3657d26272722b997
d3d32225bf893ccc62dee9d833fe04f2
d7b8c3c986495a814c9b8bd10d3f5eef
db3c54038e0b2db2c058a5e9761e4819
ee15bec0e9ba39f186d721515efd6a00
feccea47b97e78f2d6c4271da3f565c4
17d97dca939836fe4eeb61eac371960f
2d27e4aa3315c7b49ce5edd1a3fb5485
3e9b52e3b90ac45ac5ddb9c91615c7ae
45123dac5e13cebe1dc7fc95afd9c63e
5bb049c31f5fb8c4a076def3efb91177
629f6a17bea4c386aee3dfec2ed6ec2c
66.181.166.15
7d5c259d422310218a8888ec1ce65e92
83bac6075fe0d21eea6c9942b2738a1e
8b6887c5ec6fadaefee78f089e9a347a539bcedf52f5827f866a49a1839f8c4b
a9c5355fce2bd42e5cb3cd1fe6c375f1
b8406b91b0eb57267f192a1aee6d3ee0
bbd703f0d6b1cad4ff8f3d2ee3cc073c
c509890d250d6e986e3c3654aa5cea26
c5d9a6478b9b68c213301cb81cbd3833
c869b0fe739d0626e4474eea980dd018
cd0a391331c1d4268bd622080ba68bce
d0c500c37ae9f9e3657d26272722b997
d3d32225bf893ccc62dee9d833fe04f2
d7b8c3c986495a814c9b8bd10d3f5eef
db3c54038e0b2db2c058a5e9761e4819
ee15bec0e9ba39f186d721515efd6a00
feccea47b97e78f2d6c4271da3f565c4