Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques
Contents
Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques
Author: 23pds & Thinking
Editor: Liz
Background
Since June 2024, the SlowMist security team has been invited by multiple teams to conduct forensic investigations into several hacking incidents. After accumulating prior intelligence and conducting an in-depth analysis over the past 30 days, we have completed a review of the attackers’ tactics and intrusion paths. The results indicate that this is a state-sponsored APT attack targeting cryptocurrency exchanges. Through forensic analysis and correlation tracking, we have identified the attacker as the Lazarus Group.
Upon obtaining the relevant IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures), we immediately shared the intelligence with our partners. Additionally, we discovered that other partners had also been targeted using the same attack techniques and intrusion methods. However, they were relatively fortunate — during the intrusion, security alerts were triggered, and their security teams were able to promptly respond and successfully block …
Author: 23pds & Thinking
Editor: Liz
Background
Since June 2024, the SlowMist security team has been invited by multiple teams to conduct forensic investigations into several hacking incidents. After accumulating prior intelligence and conducting an in-depth analysis over the past 30 days, we have completed a review of the attackers’ tactics and intrusion paths. The results indicate that this is a state-sponsored APT attack targeting cryptocurrency exchanges. Through forensic analysis and correlation tracking, we have identified the attacker as the Lazarus Group.
Upon obtaining the relevant IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures), we immediately shared the intelligence with our partners. Additionally, we discovered that other partners had also been targeted using the same attack techniques and intrusion methods. However, they were relatively fortunate — during the intrusion, security alerts were triggered, and their security teams were able to promptly respond and successfully block …
IoC
https://graylog.org/
http://gossipsnare.com
http://getstockprice.info
http://193.233.85.234
http://showmanroast.com
http://208.95.112.1
https://github.com/patriciauiokv
https://github.com/mariaauijj
https://github.com/lauraengmp
http://eclairdomain.com
http://coreladao.com
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input
https://darkhandbook.io/
http://replaydreary.com
http://193.233.171.58
https://www.glasswire.com/
http://cdn.clubinfo.io
https://public.cyber.mil
213.252.232.171
193.233.171.58
131.226.2.120
51.38.145.49
37.120.247.180
208.95.112.1
193.233.85.234
88.119.175.208
http://gossipsnare.com
http://getstockprice.info
http://193.233.85.234
http://showmanroast.com
http://208.95.112.1
https://github.com/patriciauiokv
https://github.com/mariaauijj
https://github.com/lauraengmp
http://eclairdomain.com
http://coreladao.com
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input
https://darkhandbook.io/
http://replaydreary.com
http://193.233.171.58
https://www.glasswire.com/
http://cdn.clubinfo.io
https://public.cyber.mil
213.252.232.171
193.233.171.58
131.226.2.120
51.38.145.49
37.120.247.180
208.95.112.1
193.233.85.234
88.119.175.208