A threat actor, identified as CryptoCore, has been carrying out multiple attacks on cryptocurrency exchanges. The threat actor has a strong connection to Lazarus, the North Korea-based APT group. The first campaign began in 2018, which used spear-phishing attacks to gain initial access.
What has happened?
In the past three years, the CryptoCore group is believed to have stolen hundreds of millions by targeting cryptocurrency exchanges across multiple countries such as the U.S., Israel, Japan, and Europe.
- In a recent report, ClearSky researchers compared the details of earlier attacks with their latest findings and observed sufficient similarities to positively link the attacks to the same actor.
- ClearSky has confirmed the association of the attacks to the Lazarus group after checking YARA rules for identifying malware. The same rules were applied to RATs in reports about Lazarus from Kaspersky and ESET.
- From reports by NTT Security, JPCERT/CC, and F-Secure, ClearSky observed 40 common IOCs, a VBS script that was almost the same when not obfuscated and matching stealers and RATs.
Different reports, the same tactic
Along with ClearSky’s report, other cybersecurity organizations posted their investigation regarding separate attacks found to have similarities with CryptoCore's recent TTPs.
- F-Secure identified a separate campaign with similar tactics used in recent CryptoCore attacks. The attackers first started a conversation and persuaded victims to download a malicious file.
- CERT JPCERT/CC posted a detailed analysis of various incidents where employees of Japanese firms were sent email containing malicious files.
- A report from NTT SECURITY disclosed a campaign, CRYPTOMIMIC, that stole large sums of money from crypto wallets by reaching users and convinced them to download malicious files.
Concluding
CryptoCore has been active for the past three years now and its attacks are apparently financially motivated. Collected evidence points towards a partnership between Cryptocore threat actors and one of the most dreaded North Korean hacker groups, Lazarus. As they continue to burn holes in the pocket of victims, it is very likely that this group will attempt more attacks in the near future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7fac_shutterstock_1079559842.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6443_shutterstock_360127970.jpg)
