This investigation focuses on the Lazarus APT Group’s Command and Control (C2) infrastructure associated with the Bybit hack, revealing various domains and IP addresses that may be under their control. It utilizes DNS data and host response attributes to identify additional related indicators, therefore assisting in proactive threat hunting efforts. Affected: Bybit, financial sector, cryptocurrency exchanges
Keypoints :
- The FBI attributed the + billion Bybit hack to North Korea’s Lazarus Group.
- Safe{Wallet} and SlowMist identified suspicious domains and IP addresses related to the hack.
- Unique server responses from reported C2 domains were used to identify further related domains.
- Indicator tracking was set up in Validin to aid in monitoring across various domains and IPs.
- Identification of rare attributes within host responses can yield additional insights.
- Multiple domains were resolved to the same IPs, indicating possible threat actor control.
- Proactive analysis using historical DNS and host response data plays a key role in enhancing threat intelligence.
MITRE Techniques :
- External Remote Services (T1133): Used for C2 communication via unique domain names.
- Domain Generation Algorithms (T1483): Identified through pivots on shared features among multiple domains.
- Application Layer Protocol (T1573): Involved in C2 communication through HTTP requests with specific header values.
Indicator of Compromise :
- [Domain] getstockprice[.]com
- [Domain] trashcrease[.]com
- [IP Address] 70.34.245[.]118
- [IP Address] 185.236.231[.]224
- [Domain] getcoinprice[.]info
Full Story: https://www.validin.com/blog/bybit_hack_infrastructure_hunt/