Lazarus group Campaign Targeting The Cryptocurrency Vertical
Contents
LAZARUS GROUP
CAMPAIGN TARGETING
THE CRYPTOCURRENCY
VERTICAL
Tactical Intelligence Report
2020-08-18
F-Secure.com | © F-Secure LABS
0
INTRODUCTION
In 2019, F-Secure uncovered technical details on Lazarus Group’s1 modus operandi during an investigation of
an attack on an organisation in the cryptocurrency vertical, hereafter referred to as “the target”. The attack
was linked to a wider, ongoing global phishing campaign. The detail in this report provides detection
opportunities for blue teams seeking to defend their organizations from attacks by the group.
Lazarus Group’s interests reportedly align with those of the government of the Democratic People's Republic
of Korea (DPRK). According to a 2019 UN report2 Lazarus Group has been targeting organizations in the
cryptocurrency vertical since at least 2017. Consistent with public reporting on the group’s activities, the main
objective of the attack uncovered by F-Secure was financial gain.
F-Secure attributed the attack to the Lazarus Group based on similarities in malware, Tactics, Techniques &
Procedures (TTPs) observed, and wider intelligence of the group’s operational practices. F-Secure’s analysis …
CAMPAIGN TARGETING
THE CRYPTOCURRENCY
VERTICAL
Tactical Intelligence Report
2020-08-18
F-Secure.com | © F-Secure LABS
0
INTRODUCTION
In 2019, F-Secure uncovered technical details on Lazarus Group’s1 modus operandi during an investigation of
an attack on an organisation in the cryptocurrency vertical, hereafter referred to as “the target”. The attack
was linked to a wider, ongoing global phishing campaign. The detail in this report provides detection
opportunities for blue teams seeking to defend their organizations from attacks by the group.
Lazarus Group’s interests reportedly align with those of the government of the Democratic People's Republic
of Korea (DPRK). According to a 2019 UN report2 Lazarus Group has been targeting organizations in the
cryptocurrency vertical since at least 2017. Consistent with public reporting on the group’s activities, the main
objective of the attack uncovered by F-Secure was financial gain.
F-Secure attributed the attack to the Lazarus Group based on similarities in malware, Tactics, Techniques &
Procedures (TTPs) observed, and wider intelligence of the group’s operational practices. F-Secure’s analysis …
IoC
00efd0888b1772382ff75931ee186cbbcaf6576a0211ac1ab26420484259427a
09f0e82a3bad997c32605a1d3f9e40a0489b587af188fd05d4506358f2e890b4
0f413432d5f4fc1479ea058d6f45c6214f5d1aa6f56a367ace5b86d7ebe31dea
103.5.124.94
103.95.99.3
114.113.63.130
1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc
200.4.220.172
209c82f38d445ce0750ceeb192c28e6770543a9bda82955f808cb15ca7c56e80
25d490dea789a84aaea3b6a94787956e581d1854a2b644c148d93333732c87cc
306deba9a8dbb6f5ab88f2386cbe1d46735231fdc680be65d1b6654b1f9950fc
439fcbfd868078a4f774c17400c3af9d730458578a8e51c349c2b9848ba2afef
4786d881b14712866fe9953ad039197e630007ea19c0f0d3bf6c52598e26210c
481629605412b02746f6ed7c102a391a4d8d49bd90f137bb262b723437de0937
4fcd5969811399850fb7d56b82a125f9e43fc2a801bd855de0767abcbed530ad
519f100ddc98cfb9aca3e13c0095bddeadf11c50397096953171d042ca376fbd
5c8291d7a3bf4e7f958f33ba3cb3fb35218a86ed9c67178ecc458c5d2d5f6203
61da70fc736b7146319928de39109f45e9f3e6ad374db8f9f778b5a3a32ec869
66.181.166.15
72e0965385eae2d3a2f20feb361ce542235fe44c08991644a0a231f595039e68
7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
75.146.197.161
7ad1f7c989d7d8937bf9a1aca255c273a0bede03e6d26f5537971bd264fbadd9
7f60e13ed2e35bb2cfe4e243c71532b65d54f8b61ae7e7e789c125d274cdd3fe
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
8b6887c5ec6fadaefee78f089e9a347a539bcedf52f5827f866a49a1839f8c4b
8f924f8cc8457e7e77c791896e4f19ff90d79958a3cfef95b2f77fc8a521bf0c
919380f60b8e644ebdf68bbc64dd14e012d50df343bd35881636f0d1ee934f1f
95.0.200.212
994b3b76317cd9f6d5d1777119e102503ba5f354cc2fe19bd471949a029b1770
997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
a50ec2f42bec1c43e952de2728de0217f178440bdd8fcef70bb6db4c27e9b4bb
a794b496c5f359374c4bde7934dbac1eb067b7b81aff0d586b6f4e9e209eedaf
a837287bf214666ca214b5530dd56edbd6469e6a6c179a6075dc64422ee5a65f
ae7e1c00018ca7522834072c4adb54be346db63bab8d046d24f975c0b21440dc
b050545a7ffcbbcf96dc79354a6988fcc2f55bc76b67b59eaab36e7d238a7f62
b0dd8c5bc3a8609f4c963c572f92f5a91da663e92e10c26ce385ecb27999db18
ba54f79c32806b8d7e8f023b8339b1882761eecc3a5f8b9d40ab764bf2ed3f26
c909d2214af7449e9aabc3dad45465e8786b5aa4d25ed6abffce2fc3d9547b8e
d81471ce32b8109fea01956bc96253f7a53004bafe3ca55df44526d49152736c
dfa115eec65529d0fa393e154f79323e39ca7667e1b8f99973792a2954047a00
e099ae57f9d5b63a8297f958973c650fa5564a022fcfed00bbb67f8993077cab
e784a3169431980569d2376c611748b36a28f3f4e4644436846f554c3ef65b30
ef3c435a184a1f2a756a597967504ae8744184553571620962238e2ac29471ee
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
http://103.5.124.94
http://103.95.99.3
http://114.113.63.130
http://1driv.org
http://200.4.220.172
http://66.181.166.15
http://66.181.166.15:8080/uc
http://75.146.197.161
http://95.0.200.212
http://IPblog.cloudsecure.space
http://al6z.org
http://antlercap.com
http://azcloud.jetos.com
http://blockchaincap.org
http://bourncap.com
http://check.onedrvdn.co
http://chromeupdate.publicvm.com
http://client.cloudocs.space
http://client.googleapis.online
http://cloud.blockchaintransparency.institute
http://cloud.bugscrowd.com
http://cloudfiles.club
http://cloudssl.dns-cloud.net
http://code.publicvm.com
http://cryptofund.servehttp.com
http://cryptostore.publicvm.com
http://dnsupdate.best
http://doc.uploadsfiles.xyz
http://docs.gmaildrives.top
http://docs.googledrives.info
http://docs.sendspace.buzz
http://docsend.email
http://down.onedrivrshares.xyz
http://down_01fcd_fff.googldocs.org
http://download.gdriveupload.site
http://download.showprice.xyz
http://downloadsvc.publicvm.com
http://downurl.icu
http://drive.gogleshare.xyz
http://drive.publicvm.com
http://drivegoogle.publicvm.com
http://drivegoogles.com
http://drivegooglshare.xyz
http://drives.googldrive.xyz
http://drives.googlecloud.live
http://drverify.dns-cloud.net
http://enginecapital.cc
http://eu.euprotect.net
http://europasec.dnsabr.com
http://ff.upfilees.xyz
http://file.onedrivecloud.store
http://gbackup.gogleshare.xyz
http://gdocs.googleupload.info
http://gdrvshare.onedrvshare.host
http://gethelp.best
http://googledrive.download
http://googledrive.email
http://googledrive.network
http://googledrive.online
http://googledrive.publicvm.com
http://googleexplore.net
http://googleupdate.publicvm.com
http://icloud-mail.net
http://idgcapital.org
http://luisgarcia.myftp.org
http://mail.gdriveupload.info
http://mail.gmaildrive.site
http://mail.googleupload.info
http://map.navicheck.xyz
http://matrix-partners.theworkpc.com
http://microsoft-update10v.amazonaws1.info
http://mse.theworkpc.com
http://mskpupdate.publicvm.com
http://msupdatepms.xyz
http://name.ownemail.me
http://office.onedriveglobal.com
http://onedrive.onedriveglobal.com
http://onedrivems.online
http://onedriveupdate.publicvm.com
http://open.gdriveshareslink.xyz
http://p2p.downefile.xyz
http://pp.fcloudshare.xyz
http://reghelp.webredirect.org
http://robugnito.publicvm.com
http://scloud.wechart.org
http://sendgrid.webredirect.org
http://sequoiacapitals.com
http://sequoiacaps.com
http://sfile.onedrivecloud.store
http://share.goglesheet.com
http://share.googlefiledrive.com
http://share.onedriveglobal.com
http://share.onedrvfile.site
http://sshare.onedriveglobal.com
http://st.decurret.site
http://store.onedriveglobal.com
http://support.gdrvcheck.co
http://swisscryptotokens.email
http://toyota-ai.org
http://twosigma.best
http://twosigma.linkpc.net
http://twosigma.publicvm.com
http://twosigma.theworkpc.com
http://twosigmateam.cc
http://twosigmateam.info
http://up.drvupdate.xyz
http://up.filecloud.website
http://upload.sharefile.buzz
http://uploadsfiles.xyz
http://us.privacyshield.services
http://verify.googleauth.pro
http://waterm.publicvm.com
http://wordpress.publicvm.com
09f0e82a3bad997c32605a1d3f9e40a0489b587af188fd05d4506358f2e890b4
0f413432d5f4fc1479ea058d6f45c6214f5d1aa6f56a367ace5b86d7ebe31dea
103.5.124.94
103.95.99.3
114.113.63.130
1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc
200.4.220.172
209c82f38d445ce0750ceeb192c28e6770543a9bda82955f808cb15ca7c56e80
25d490dea789a84aaea3b6a94787956e581d1854a2b644c148d93333732c87cc
306deba9a8dbb6f5ab88f2386cbe1d46735231fdc680be65d1b6654b1f9950fc
439fcbfd868078a4f774c17400c3af9d730458578a8e51c349c2b9848ba2afef
4786d881b14712866fe9953ad039197e630007ea19c0f0d3bf6c52598e26210c
481629605412b02746f6ed7c102a391a4d8d49bd90f137bb262b723437de0937
4fcd5969811399850fb7d56b82a125f9e43fc2a801bd855de0767abcbed530ad
519f100ddc98cfb9aca3e13c0095bddeadf11c50397096953171d042ca376fbd
5c8291d7a3bf4e7f958f33ba3cb3fb35218a86ed9c67178ecc458c5d2d5f6203
61da70fc736b7146319928de39109f45e9f3e6ad374db8f9f778b5a3a32ec869
66.181.166.15
72e0965385eae2d3a2f20feb361ce542235fe44c08991644a0a231f595039e68
7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
75.146.197.161
7ad1f7c989d7d8937bf9a1aca255c273a0bede03e6d26f5537971bd264fbadd9
7f60e13ed2e35bb2cfe4e243c71532b65d54f8b61ae7e7e789c125d274cdd3fe
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
8b6887c5ec6fadaefee78f089e9a347a539bcedf52f5827f866a49a1839f8c4b
8f924f8cc8457e7e77c791896e4f19ff90d79958a3cfef95b2f77fc8a521bf0c
919380f60b8e644ebdf68bbc64dd14e012d50df343bd35881636f0d1ee934f1f
95.0.200.212
994b3b76317cd9f6d5d1777119e102503ba5f354cc2fe19bd471949a029b1770
997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
a50ec2f42bec1c43e952de2728de0217f178440bdd8fcef70bb6db4c27e9b4bb
a794b496c5f359374c4bde7934dbac1eb067b7b81aff0d586b6f4e9e209eedaf
a837287bf214666ca214b5530dd56edbd6469e6a6c179a6075dc64422ee5a65f
ae7e1c00018ca7522834072c4adb54be346db63bab8d046d24f975c0b21440dc
b050545a7ffcbbcf96dc79354a6988fcc2f55bc76b67b59eaab36e7d238a7f62
b0dd8c5bc3a8609f4c963c572f92f5a91da663e92e10c26ce385ecb27999db18
ba54f79c32806b8d7e8f023b8339b1882761eecc3a5f8b9d40ab764bf2ed3f26
c909d2214af7449e9aabc3dad45465e8786b5aa4d25ed6abffce2fc3d9547b8e
d81471ce32b8109fea01956bc96253f7a53004bafe3ca55df44526d49152736c
dfa115eec65529d0fa393e154f79323e39ca7667e1b8f99973792a2954047a00
e099ae57f9d5b63a8297f958973c650fa5564a022fcfed00bbb67f8993077cab
e784a3169431980569d2376c611748b36a28f3f4e4644436846f554c3ef65b30
ef3c435a184a1f2a756a597967504ae8744184553571620962238e2ac29471ee
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
http://103.5.124.94
http://103.95.99.3
http://114.113.63.130
http://1driv.org
http://200.4.220.172
http://66.181.166.15
http://66.181.166.15:8080/uc
http://75.146.197.161
http://95.0.200.212
http://IPblog.cloudsecure.space
http://al6z.org
http://antlercap.com
http://azcloud.jetos.com
http://blockchaincap.org
http://bourncap.com
http://check.onedrvdn.co
http://chromeupdate.publicvm.com
http://client.cloudocs.space
http://client.googleapis.online
http://cloud.blockchaintransparency.institute
http://cloud.bugscrowd.com
http://cloudfiles.club
http://cloudssl.dns-cloud.net
http://code.publicvm.com
http://cryptofund.servehttp.com
http://cryptostore.publicvm.com
http://dnsupdate.best
http://doc.uploadsfiles.xyz
http://docs.gmaildrives.top
http://docs.googledrives.info
http://docs.sendspace.buzz
http://docsend.email
http://down.onedrivrshares.xyz
http://down_01fcd_fff.googldocs.org
http://download.gdriveupload.site
http://download.showprice.xyz
http://downloadsvc.publicvm.com
http://downurl.icu
http://drive.gogleshare.xyz
http://drive.publicvm.com
http://drivegoogle.publicvm.com
http://drivegoogles.com
http://drivegooglshare.xyz
http://drives.googldrive.xyz
http://drives.googlecloud.live
http://drverify.dns-cloud.net
http://enginecapital.cc
http://eu.euprotect.net
http://europasec.dnsabr.com
http://ff.upfilees.xyz
http://file.onedrivecloud.store
http://gbackup.gogleshare.xyz
http://gdocs.googleupload.info
http://gdrvshare.onedrvshare.host
http://gethelp.best
http://googledrive.download
http://googledrive.email
http://googledrive.network
http://googledrive.online
http://googledrive.publicvm.com
http://googleexplore.net
http://googleupdate.publicvm.com
http://icloud-mail.net
http://idgcapital.org
http://luisgarcia.myftp.org
http://mail.gdriveupload.info
http://mail.gmaildrive.site
http://mail.googleupload.info
http://map.navicheck.xyz
http://matrix-partners.theworkpc.com
http://microsoft-update10v.amazonaws1.info
http://mse.theworkpc.com
http://mskpupdate.publicvm.com
http://msupdatepms.xyz
http://name.ownemail.me
http://office.onedriveglobal.com
http://onedrive.onedriveglobal.com
http://onedrivems.online
http://onedriveupdate.publicvm.com
http://open.gdriveshareslink.xyz
http://p2p.downefile.xyz
http://pp.fcloudshare.xyz
http://reghelp.webredirect.org
http://robugnito.publicvm.com
http://scloud.wechart.org
http://sendgrid.webredirect.org
http://sequoiacapitals.com
http://sequoiacaps.com
http://sfile.onedrivecloud.store
http://share.goglesheet.com
http://share.googlefiledrive.com
http://share.onedriveglobal.com
http://share.onedrvfile.site
http://sshare.onedriveglobal.com
http://st.decurret.site
http://store.onedriveglobal.com
http://support.gdrvcheck.co
http://swisscryptotokens.email
http://toyota-ai.org
http://twosigma.best
http://twosigma.linkpc.net
http://twosigma.publicvm.com
http://twosigma.theworkpc.com
http://twosigmateam.cc
http://twosigmateam.info
http://up.drvupdate.xyz
http://up.filecloud.website
http://upload.sharefile.buzz
http://uploadsfiles.xyz
http://us.privacyshield.services
http://verify.googleauth.pro
http://waterm.publicvm.com
http://wordpress.publicvm.com