Report: Lazarus Hackers Are Behind the CryptoCore Attacks on Bitcoin Exchanges

The Lazarus hacker group, which is associated with the North Korean authorities, has been hacking bitcoin exchanges around the world for several years under the guise of the organization CryptoCore. This is the conclusion reached by security researchers from ClearSky.

The attackers emptied the cryptocurrency wallets of users and employees of trading platforms using targeted phishing. When communicating with victims, hackers persuaded them to download a malicious file.

ClearSky experts compared reports on these attacks from the companies F-Secure, CERT JPCERT/CC and NTT Security. In addition to the similarity in behavior and source code, CryptoCore malware has characteristic features that are contained in [simple_tooltip content=’tool for identifying and classifying malware’]YARA rules[/simple_tooltip] ESET and Kaspersky for Lazarus.

The YARA rule corresponds to the Lazarus RAT in the ESET report. Data: ClearSky.

One of the YARA rules corresponds to the old Remote access Trojan (RAT), which Kaspersky reported in 2016.

In general, between the reports of F-Secure, NTT Security and JPCERT/CC, ClearSky experts found 40 common indicators of compromise (IoC), an almost identical VBS script, as well as similar RAT and stilers.

Lazarus VBS script used in several campaigns. Data: ClearSky.

“Given all the similarities, ClearSky attributes the CryptoCore campaign to Lazarus with a high degree of probability,” the conclusion says.

Recall that the CryptoCore group began its activities in the middle of 2018. During this time, she hacked cryptocurrency exchanges in the USA, Israel, Europe and Japan.

According to ClearSky, by June 2020, the damage caused by hackers amounted to $200 million in cryptocurrency