North Korea’s Lazarus Group Uncovered Hidden Administrative Layer for Cryptocurrency Attacks

An ongoing investigation into recent attacks by North Korea’s Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign’s command-and-control (C2) infrastructure.

The Investigation

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

Elaborate Operational Security

The company wrote in its report this week that the adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from. SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99’s C2 network.

The Operational Network

"Phantom Circuit [is the] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers and try and secure jobs at organizations they wanted to infiltrate.

Implications

The discovery of this hidden administrative layer highlights the sophistication and complexity of North Korea’s Lazarus group’s operations. It also underscores the need for organizations to prioritize operational security and implement robust measures to detect and prevent such attacks.