Threat Research

Rolling in the Deep(Web): Lazarus Tsunami

iocOne
Rolling in the Deep(Web): Lazarus Tsunami

HiSolutions uncovered a connection between a cryptocurrency theft investigation and the ongoing “Contagious Interview” campaign linked to North Korea. The analysis revealed the Tsunami-Framework, a malware that operates through the TOR network and Pastebin, showcasing a modular design that deploys various stealers and cryptominers. Affected: cryptocurrency sector, software developers

Keypoints :

  • The ongoing “Contagious Interview” campaign is connected to recent cryptocurrency thefts.
  • Tsunami-Malware is currently under active development and incorporates multiple functionalities.
  • The Tsunami framework employs TOR and Pastebin for its command and control operations.
  • The malware uses a chainloading technique to establish initial access via a malicious payload.
  • Persistent installations include the Tsunami-Injector and Tsunami-Installer.
  • The malware utilizes a variety of data-stealing modules, including credential stealers and bots.
  • Presence of a backdoor and functionalities for computing capacity hijacking were noted.

MITRE Techniques :

  • T1082 – System Information Discovery: The malware collects OS and hardware information during initialization.
  • T1589.001 – Gather Victim Identity Information: Credential gathering from multiple applications is performed.
  • T1587.001 – Develop Capabilities: Continuous development of the Tsunami malware by the threat actor.
  • T1584.005 – Compromise Infrastructure: The implementation of botnet functionalities is observed.
  • T1608 – Stage Capabilities: The malware operates through multiple, staged infection methods.
  • T1059 – Command and Scripting Interpreter: Utilizes scripting interpreters like PowerShell and Python.
  • T1053.005 – Scheduled Task/Job: Relies on scheduled tasks to maintain persistence.
  • T1204 – User Execution: Initial access depends on the execution of a backdoored repository.
  • T1547 – Boot or Logon Autostart Execution: Creates startup tasks for persistence.
  • T1562.004 – Impair Defenses: Disables Windows Firewall.
  • T1562.001 – Impair Defenses: Disables Windows Defender.
  • T1027 – Obfuscated Files or Information: The malware contains obfuscated components.
  • T1056 – Input Capture: Implements keylogging capabilities.
  • T1539 – Steal Web Session Cookie: Exfiltrates browser session cookies.
  • T1555 – Credentials from Password Stores: Accesses various applications for credential retrieval.
  • T1083 – File and Directory Discovery: Searches for and uploads specific files to the C2 server.
  • T1020 – Automated Exfiltration: Exfiltrates information periodically.
  • T1496.001 – Resource Hijacking: Employs compute resource hijacking through cryptominers.

Indicator of Compromise :

  • [SHA256] 3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770
  • [SHA256] b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d
  • [SHA256] bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed
  • [IPv4] 23.254.229[.]101
  • [C2-Domain] n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion

Full Story: https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint