Rolling in the Deep(Web): Lazarus Tsunami
Contents
Summary
When HiSolutions investigated cryptocurrency theft in a software developers environment in fall
2024, the initial access vector and first stages of malware-deployment were identical to the
ongoing „Contagious Interview“-Campaign linked to North Korea.
During our analysis we were able to identify a more comprehensive sample of the Tsunami-Framework, a Malware relying on the TOR-Network and Pastebin (a SaaS) for command and control
Tsunami has a modular structure, incorporates multiple stealers and deploys two cryptominers. It has
first been identified by Luca Di Domenico and Alessio Di Santo.
Key Takeaways
- The „Contagious Interview“-Campaign is ongoing and responsible for the theft of common and less common crypto-currencies.
- The Threat Actor (TA) actively develops new tooling and uses Pastebin-Accounts and TOR .onion-Domains for C2.
- The identified Tsunami-Malware is in active development and incorporates multiple crypto miners and credential stealers.
Analysis
When we first observed the Tsunami-Framework in an incident, it achieved initial access through
chainloading a malicious BeaverTail-Payload (loader) from the third-party …
When HiSolutions investigated cryptocurrency theft in a software developers environment in fall
2024, the initial access vector and first stages of malware-deployment were identical to the
ongoing „Contagious Interview“-Campaign linked to North Korea.
During our analysis we were able to identify a more comprehensive sample of the Tsunami-Framework, a Malware relying on the TOR-Network and Pastebin (a SaaS) for command and control
Tsunami has a modular structure, incorporates multiple stealers and deploys two cryptominers. It has
first been identified by Luca Di Domenico and Alessio Di Santo.
Key Takeaways
- The „Contagious Interview“-Campaign is ongoing and responsible for the theft of common and less common crypto-currencies.
- The Threat Actor (TA) actively develops new tooling and uses Pastebin-Accounts and TOR .onion-Domains for C2.
- The identified Tsunami-Malware is in active development and incorporates multiple crypto miners and credential stealers.
Analysis
When we first observed the Tsunami-Framework in an incident, it achieved initial access through
chainloading a malicious BeaverTail-Payload (loader) from the third-party …
IoC
https://www.youtube.com/watch?v=QB7ACr7pUuE
http://23.254.229.101
http://ipinfo.io/
http://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
https://api.ipify.org
http://23.254.229.101/cat-video
23.254.229.101
94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1
2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed
ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527
3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086
3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770
5473756E616D692E436F72652E436F6D6D6F6E2E
e9571e21150d7333bfada0ef836adad555547411a2b56990da632f64d0262ef8
a2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb
28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630
b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d
f96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea
rule tsunami_framework : apt {
meta:
name = "tsunami_framework"
category = "framework"
description = "Detects Tsunami-Framework"
author = "Nicolas Sprenger (HiSolutions AG)"
created = "2024-12-18"
reliability = 100
tlp = "TLP:clear"
sample = "ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527"
score = 100
strings:
$ = "=/\x00a\x00s\x00s\x00e\x00t\x00s\x00/\x00v\x002\x00/\x00t\x00s\x00u\x00n\x00a\x00m\x00i\x00-\x00c\x00l\x00i\x00e\x00n\x00t\x00"
$ = "/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00-\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00s"
$ =
"/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00i\x00n\x00i\x00t\x00\x001/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00e\x0
0n\x00v\x00i\x00r\x00o\x00n\x00m\x00e\x00n
\x00t\x00-\x00i\x00n\x00f\x00o\x00"
$ = "a\x00p\x00i\x00/\x00v\x001\x00/\x00d\x00i\x00s\x00c\x00o\x00r\x00d\x00-\x00a\x00c\x00c\x00o\x00u\x00n\x00t\x00s\x00"
$ = "a\x00s\x00s\x00e\x00t\x00s\x00/\x00v\x002\x00/\x00d\x00o\x00t\x00n\x00e\x00t\x006\x00-\x00i\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00r\x00-
\x00u\x00r\x00l"
$ = { 5473756E616D692E436F72652E436F6D6D6F6E2E }
$ = { 680074007400700073003A002F002F006100700069002E00690070006900660079002E006F0072006700 } // "https://api.ipify.org"
$ = { 68007400740070003A002F002F006900700069006E0066006F002E0069006F002F00 } // "http://ipinfo.io/"
condition:
uint16(0) == 0x5a4d and all of them
}
http://23.254.229.101
http://ipinfo.io/
http://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
https://api.ipify.org
http://23.254.229.101/cat-video
23.254.229.101
94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1
2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed
ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527
3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086
3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770
5473756E616D692E436F72652E436F6D6D6F6E2E
e9571e21150d7333bfada0ef836adad555547411a2b56990da632f64d0262ef8
a2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb
28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630
b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d
f96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea
rule tsunami_framework : apt {
meta:
name = "tsunami_framework"
category = "framework"
description = "Detects Tsunami-Framework"
author = "Nicolas Sprenger (HiSolutions AG)"
created = "2024-12-18"
reliability = 100
tlp = "TLP:clear"
sample = "ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527"
score = 100
strings:
$ = "=/\x00a\x00s\x00s\x00e\x00t\x00s\x00/\x00v\x002\x00/\x00t\x00s\x00u\x00n\x00a\x00m\x00i\x00-\x00c\x00l\x00i\x00e\x00n\x00t\x00"
$ = "/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00-\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00s"
$ =
"/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00i\x00n\x00i\x00t\x00\x001/\x00a\x00p\x00i\x00/\x00v\x001\x00/\x00e\x0
0n\x00v\x00i\x00r\x00o\x00n\x00m\x00e\x00n
\x00t\x00-\x00i\x00n\x00f\x00o\x00"
$ = "a\x00p\x00i\x00/\x00v\x001\x00/\x00d\x00i\x00s\x00c\x00o\x00r\x00d\x00-\x00a\x00c\x00c\x00o\x00u\x00n\x00t\x00s\x00"
$ = "a\x00s\x00s\x00e\x00t\x00s\x00/\x00v\x002\x00/\x00d\x00o\x00t\x00n\x00e\x00t\x006\x00-\x00i\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00r\x00-
\x00u\x00r\x00l"
$ = { 5473756E616D692E436F72652E436F6D6D6F6E2E }
$ = { 680074007400700073003A002F002F006100700069002E00690070006900660079002E006F0072006700 } // "https://api.ipify.org"
$ = { 68007400740070003A002F002F006900700069006E0066006F002E0069006F002F00 } // "http://ipinfo.io/"
condition:
uint16(0) == 0x5a4d and all of them
}