Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Lazarus Group. Show all posts
Web Shell
ASP C2 Infrastructure Cybersecurity IIS server LazarLoader Lazarus Group malware Privilege Escalation Web Shell

Lazarus Group Intensifies Attacks on South Korean Web Servers

 

Researchers have uncovered a series of highly sophisticated cyberattacks by the notorious Lazarus group, targeting web servers in South Korea.

The attackers have been infiltrating IIS servers to deploy ASP-based web shells, which serve as the first-stage Command and Control (C2) servers. These initial C2 servers act as intermediaries, relaying communications to secondary C2 infrastructure, allowing deeper penetration into compromised systems.

First identified in January 2025, these latest attacks showcase an advancement of similar methods observed in May 2024, highlighting the persistent and evolving strategies employed by this state-sponsored group. The Lazarus group has consistently exploited legitimate web servers to establish attack infrastructures, refining their approach over time.

According to the AhnLab Security Intelligence Centre (ASEC), the latest campaign involved the installation of multiple ASP-based web shells on vulnerable IIS servers. One notable addition is the modified version of the "RedHat Hacker" web shell, stored under the filename "function2.asp." Unlike previous versions that used "1234qwer" as the authentication password, the latest variant now requires "2345rdx," reflecting an enhancement in security measures.

Other deployed web shells, such as "file_uploader_ok.asp" and "find_pwd.asp," grant the attackers extensive control over compromised servers. These tools enable file manipulation, process execution, and even SQL query operations.

To evade detection, these web shells employ advanced obfuscation techniques, remaining encoded in VBE format even after initial decoding. This complexity makes security analysis and detection significantly more challenging.

The structure of the malicious code further demonstrates the sophistication of these attacks. Initialization packets are verified by checking whether the second and third bytes contain the string "OK," while the first byte serves as an encryption key.

C2 Script Enhancements

The C2 script utilized in the January 2025 campaign acts as an intermediary between compromised servers and the attackers' infrastructure. Unlike previous versions, the updated script supports both form data and cookie-based communication, demonstrating ongoing refinements in Lazarus’ toolset.

Depending on the "code" field in the form data, the script executes different commands, including:
  • "MidRequest" – Data redirection
  • "ProxyCheck" – Mid Info storage
  • "ReadFile" and "WriteFile" – File manipulation
  • "ClientHello" – Response handling with Mid Info

These commands enable attackers to exert comprehensive control over infiltrated systems.

Beyond web shells, the attackers deployed the LazarLoader malware to download additional payloads. This advanced loader decrypts and executes payloads directly in memory, utilizing a 16-byte key identified as "Node.Js_NpmStart."

The attack sequence typically begins with web shell installation, followed by LazarLoader deployment via the w3wp.exe IIS web server process. To escalate privileges, the attackers use a malware component named "sup.etl," which functions as a packer for bypassing User Account Control (UAC).

Security experts strongly advise administrators to inspect web servers for vulnerabilities that could permit unauthorized file uploads, particularly targeting ASP-based web shells.

To minimize risks, organizations should implement:
  • Strict access controls to prevent lateral movement post-compromise.
  • Regular password rotation for enhanced security.
  • Continuous monitoring for unusual process activity, especially instances where w3wp.exe spawns unexpected processes.
  • Timely security updates to detect and mitigate known 
As Lazarus continues to refine its attack methodologies, proactive security measures are essential in defending against this persistent and highly sophisticated threat actor targeting critical infrastructure worldwide.
Read more »
Security Breach
Crypto Exchange Crypto Hack cryptocurrency Cyber Attacks Digital Assets Lazarus Group Security Breach

Bybit Crypto Exchange Hacked for $1.5 Billion in Largest Crypto Heist

 

Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack, now considered the largest in crypto history, compromised the exchange’s cold wallet—an offline storage system designed to provide enhanced security against cyber threats. 

Despite the breach, Bybit CEO Ben Zhou assured users that other cold wallets remain secure and that withdrawals continue as normal. Blockchain analysis firms, including Elliptic and Arkham Intelligence, traced the stolen funds as they were quickly moved across multiple wallets and laundered through various platforms. Most of the stolen assets were in ether, which were liquidated swiftly to avoid detection. 

The scale of the attack far exceeds previous high-profile crypto thefts, including the $611 million Poly Network hack in 2021 and the $570 million stolen from Binance’s BNB token in 2022. Investigators later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking organization known for targeting cryptocurrency platforms. The group has a history of siphoning billions from the digital asset industry to fund the North Korean regime. 

Experts say Lazarus employs advanced laundering techniques to hide the stolen funds, making recovery difficult. Elliptic’s chief scientist, Tom Robinson, confirmed that the hacker’s addresses have been flagged in an attempt to prevent further transactions or cash-outs on other exchanges. However, the sheer speed and sophistication of the operation suggest that a significant portion of the funds may already be out of reach. The news of the breach sent shockwaves through the crypto community, triggering a surge in withdrawals as users feared the worst. 

While Bybit has managed to stabilize outflows, concerns remain over the platform’s ability to recover from such a massive loss. To reassure customers, Bybit announced that it had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. The Lazarus Group’s involvement highlights the persistent security risks in the cryptocurrency industry. Since 2017, the group has orchestrated multiple cyberattacks, including the theft of $200 million in bitcoin from South Korean exchanges. 

Their methods have become increasingly sophisticated, exploiting vulnerabilities in crypto platforms to fund North Korea’s financial needs. Industry experts warn that large-scale thefts like this will continue unless exchanges implement stronger security measures. Robinson emphasized that making it harder for criminals to profit from these attacks is the best deterrent against future incidents. 

Meanwhile, law enforcement agencies and crypto-tracking firms are working to trace the stolen assets in hopes of recovering a portion of the funds. While exchanges have made strides in improving security, cybercriminals continue to find ways to exploit weaknesses, making robust protections more crucial than ever.
Read more »
US Court
cryptocurrency Lazarus Group Privacy Software US Court

US Court Rules Against Tornado Cash Sanctions




A U.S. appeals court has ruled that the Treasury Department overstepped its authority when it imposed sanctions on the cryptocurrency mixer Tornado Cash in 2022. The department accused Tornado Cash of facilitating over $7 billion in the laundering of funds, a portion of which was reportedly linked to North Korean hackers. However, the court stated that the sanctions were not lawfully justified under federal law.


Tornado Cash is a cryptocurrency mixer—a type of software that anonymizes digital transactions. It helps users conceal the origin and ownership of their cryptocurrencies by pooling and shuffling deposits. The Treasury's Office of Foreign Assets Control (OFAC) has blacklisted Tornado Cash under the International Emergency Economic Powers Act (IEEPA), as it was alleged that it had been used for laundering cybercrime proceeds, among which is $455 million reportedly stolen by the Lazarus Group, a North Korean hacking group.


Court's Ruling and Key Arguments

This came about with a decision by a panel of three judges from the New Orleans 5th U.S. Circuit Court of Appeals. A spokesperson from the panel, Judge Don Willett, wrote, "The smart contracts forming Tornado Cash did not constitute 'property.'" Law puts the authorization of regulating the property to OFAC but held that because these were immutables and unchangeables, the codes could neither be owned nor controlled hence would exempt from sanctions.


The court acknowledged that the risks that technologies like Tornado Cash pose are legitimate, but it held that updating the law to address such issues is the job of Congress, not the judiciary.

The lawsuit challenging the sanctions was brought by six Tornado Cash users with the financial support of Coinbase, a major cryptocurrency exchange. The court's decision was called a "historic win for crypto and liberty" by Paul Grewal, Coinbase's chief legal officer. Coinbase had argued that sanctioning an entire technology could stifle innovation and harm privacy rights. 


Legal Troubles for Tornado Cash Developers

Despite the court ruling, there are still legal problems for those associated with Tornado Cash. In May, developer Alexey Pertsev was sentenced to over five years in prison in the Netherlands for money laundering. Founders of Tornado Cash, Roman Semenov and Roman Storm, are also charged with money laundering and sanctions violations in the United States.


The Bigger Picture 

This case, therefore, underlines the legal and ethical challenges of privacy-focused technologies such as cryptocurrency mixers. It also calls for updated regulations to balance innovation, privacy, and security in the digital age.


Read more »
PeckShield
Bitcoin Bitcoin hacked Chainalysis cryptocurrency cryptocurrency hack Cyber Attacks Lazarus Group PeckShield

DMM Bitcoin Hack: 500 BTC Transfer Linked to $305 Million Theft Raises New Concerns

 

A cryptocurrency address linked to the $305 million DMM Bitcoin hack in May has reportedly transferred 500 Bitcoin, valued at approximately $30.4 million. On August 22, PeckShield Alert reported that the suspect address initially split the funds into two separate addresses, each receiving around 250 BTC. This movement of funds marks a significant development in the aftermath of the DMM Bitcoin hack, which remains one of the most substantial cryptocurrency thefts of 2024. The DMM Bitcoin hack, which occurred in May, resulted in the theft of 4,502.9 BTC, valued at approximately $305 million at the time. 

The current value of the stolen Bitcoin is just over $274 million. In response to the breach, DMM Bitcoin quickly raised $320 million to reimburse affected users, demonstrating the exchange’s commitment to mitigating the impact of the hack on its customers. Blockchain investigator ZachXBT previously attributed the attack to the Lazarus Group, a notorious hacking organization allegedly linked to the Democratic People’s Republic of Korea. The Lazarus Group has been implicated in several high-profile cyberattacks, and its involvement in the DMM Bitcoin hack highlights the growing sophistication of cybercriminals targeting the cryptocurrency industry. 

According to on-chain analysts, the methods used to launder the stolen funds and various off-chain indicators strongly suggest the Lazarus Group’s involvement in the heist. Following the hack, the attackers reportedly split the stolen Bitcoin into smaller batches of 500 BTC and transferred them to new wallets. PeckShield identified that the latest funds moved since the May 31 incident originated from one of these wallets. This strategy of splitting and moving funds is a common tactic among cybercriminals to obfuscate the trail of stolen assets and avoid detection. 

In July, ZachXBT alleged that the attackers transferred approximately $35 million worth of Bitcoin to the Cambodia-based exchange Huione Guarantee. The exchange has faced accusations of facilitating the laundering of funds from various crypto hacks, pig butchering scams, and other illicit activities. The involvement of exchanges like Huione underscores the challenges in tracking and recovering stolen cryptocurrency, as these platforms can serve as intermediaries for converting stolen assets into fiat currency or other cryptocurrencies. 

The DMM Bitcoin hack is a significant addition to the growing list of cryptocurrency thefts in 2024, which had already claimed over $473 million in losses before this incident. The hack is the second largest in Japan’s history, following the 58 billion yen loss suffered by Coincheck in 2018. In the aftermath of the DMM Bitcoin hack, the exchange halted all spot trading on its platform and warned that withdrawals in Japanese yen might take longer than usual, as they implemented measures to prevent further unauthorized outflows. This incident also highlights broader trends in the cryptocurrency industry. 

According to a Chainalysis report, while illegal activity on blockchain networks has decreased by almost 20% year-to-date, malware attacks and stolen funds have surged. Stolen funds inflows doubled to $1.58 billion compared to $857 million last year, and ransomware inflows climbed around 2%, reaching $459.8 million. The DMM Bitcoin hack serves as a stark reminder of the ongoing vulnerabilities in the cryptocurrency sector and the need for enhanced security measures to protect digital assets from increasingly sophisticated cyber threats.
Read more »
North Korea Hackers
cyber attack Financial Exploit Laundering Lazarus Group Linkedin North Korea Hackers

North Korean Hackers Exploit LinkedIn in Targeted Attacks

 


The North Korean hacker group Lazarus has once again made headlines, this time for exploiting LinkedIn in their cyber operations. According to a report by blockchain security analytics firm SlowMist, Lazarus hackers are leveraging the professional networking platform to target unsuspecting users and pilfer their assets through malware attacks.


LinkedIn Used as a Trojan Horse

This involves Lazarus members masquerading as blockchain developers seeking employment opportunities in the cryptocurrency industry. By posing as job seekers, they lure in vulnerable targets, enticing them to share access to their code repositories under the guise of collaborative work. However, the innocuous-seeming code snippets provided by the hackers contain malicious elements designed to syphon off confidential information and assets from the victims' systems.


History of Innovation in Cybercrime

This tactic isn't new for Lazarus, as they previously employed a similar strategy in December 2023, posing as recruiters from Meta. Back then, they convinced victims to download malware-infected coding challenges, which, when executed, granted remote access to their computers.


Lazarus: A Cyber Threat

Lazarus has earned a notorious reputation in the cybersecurity realm since its emergence in 2009. The group is infamous for orchestrating some of the largest cryptocurrency heists, including the 2022 Ronin Bridge hack, which saw a staggering $625 million being stolen.


Laundering Techniques

Once they've plundered their ill-gotten gains, Lazarus employs sophisticated techniques, such as crypto mixing services, to launder the funds back to North Korea. Reports suggest these funds are funnelled into financing the country's military endeavors.


Industry Response and Countermeasures

In response to persistent cyber threats, crypto companies are advocating for heightened security measures and conducting awareness seminars to educate employees about potential risks. The industry's proactive stance has led to the implementation of robust security protocols and increased investment in cybersecurity to safeguard against data breaches and financial theft.


The recent exploits by Lazarus serve as a stark reminder of the ever-present dangers lurking in the digital realm. As cyber threats continue to expand, it's imperative for individuals and organisations alike to remain careful and adopt proactive measures to mitigate risks and be digitally secured.


By staying informed and proactive, investors, traders, and social media users can collectively work towards thwarting cyber threats and safeguarding digital assets in an increasingly interconnected world.


Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
record $1 billion
blockchain analytics crypto assets theft cryptocurrency hacks Cyber Attacks cybersecurity trends Kimsuky Lazarus Group North Korean cyber attacks record $1 billion

Cyber Attacks by North Korean Hackers on Cryptocurrency Platforms Reach $1 Billion in 2023

 

A recent study by Chainalysis, a blockchain analytics firm, has revealed a surge in cyber attacks on cryptocurrency platforms linked to North Korea. The data, covering the period from 2016 to 2023, indicates that 20 crypto platforms were targeted by North Korean hackers in 2023 alone, marking the highest level in the recorded period.

According to the report, North Korean hackers managed to steal just over $1 billion in crypto assets in the past year. While this amount is slightly less than the record $1.7 billion stolen in 2022, the increasing trend is a cause for concern among cybersecurity experts.

Chainalysis highlighted the growing threat from cyber-espionage groups like Kimsuky and Lazarus Group, employing various malicious tactics to accumulate significant amounts of crypto assets. This aligns with the Federal Bureau of Investigation's (FBI) previous attribution of a $100 million crypto heist on the Horizon Bridge in 2022 to North Korea-linked hackers.

Supporting these findings, TRM Labs, a blockchain intelligence firm, reported that North Korea-affiliated hackers stole at least $600 million in crypto assets in 2023. The frequency and success of these attacks underscore the sophistication and persistence of North Korea's cyber capabilities.

The report cited a notable incident in September, where the FBI confirmed that North Korea's Lazarus Group was responsible for stealing around $41 million in crypto assets from the online casino and betting platform Stake.com. Investigations led to the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioning Sinbad.io, a virtual currency mixer identified as a key money-laundering tool for Lazarus Group.

Global efforts to counter the threat include sanctions, particularly as previous research indicated that North Korea-affiliated hackers used stolen crypto funds to finance nuclear weapons programs. The UN has imposed sanctions to limit the regime's access to funding sources supporting its nuclear activities.

TRM Labs emphasized the need for ongoing vigilance and innovation from businesses and governments, stating, "With nearly $1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments."

Despite advancements in cybersecurity and increased international collaboration, the report predicts that 2024 is likely to see further disruptions from North Korea, posing a challenge for the global community to strengthen defenses against the relentless digital attacks. The report was released by CNBC.
Read more »
USA officials
Crypto Crypto Currency Crypto Market Cryptominers cryptomixer Data Breach Lazarus Group North Korean Hackers State Sponsored Hackers USA officials

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.
Read more »
Subscribe to: Posts (Atom)