Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)
2021-05-24 • Clearskysec •
https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf
Attachments
CryptoCore-Lazarus-Clearsky.pdf (1000 KB)
ClearSky assesses with medium-high confidence that the CryptoCore campaign targeting cryptocurrency exchanges is linked to North Korea’s Lazarus group. The activity, also tracked as CryptoMimic or Dangerous Password, targeted exchanges in Israel, the United States, Europe, and Japan over roughly three years and was associated with theft of cryptocurrency wallets worth hundreds of millions of dollars. The report connects ClearSky, F-Secure, JPCERT/CC, and NTT Security findings by comparing victimology, social-engineering tradecraft, VBS scripts, RAT and stealer tooling, and similarities to known Lazarus operations. The source is careful to frame the attribution as a research-backed likelihood rather than certainty.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | googleexplore.net | 2020-06-24 | 2022-01-13 |
| DOMAIN | twosigma.publicvm.com | 2020-06-24 | 2022-01-13 |
| DOMAIN | googledrive.publicvm.com | 2019-07-09 | 2022-01-13 |
| HASH | 8b6887c5ec6fadaefee78f089e9a347… | 2020-08-18 | 2021-05-24 |
| HASH | feccea47b97e78f2d6c4271da3f565c4 | 2020-06-24 | 2021-05-24 |
| HASH | d7b8c3c986495a814c9b8bd10d3f5eef | 2020-06-24 | 2021-05-24 |
| HASH | 83bac6075fe0d21eea6c9942b2738a1e | 2020-06-24 | 2021-05-24 |
| HASH | 7d5c259d422310218a8888ec1ce65e92 | 2020-06-24 | 2021-05-24 |
| HASH | 629f6a17bea4c386aee3dfec2ed6ec2c | 2020-06-24 | 2021-05-24 |
| HASH | 3e9b52e3b90ac45ac5ddb9c91615c7ae | 2020-06-24 | 2021-05-24 |
| HASH | 1439d13eee4b43501bfadbe40da1e1f6 | 2020-06-24 | 2021-05-24 |
| HASH | 2d27e4aa3315c7b49ce5edd1a3fb5485 | 2020-06-24 | 2021-05-24 |
| HASH | d0c500c37ae9f9e3657d26272722b997 | 2020-06-24 | 2021-05-24 |
| HASH | ee15bec0e9ba39f186d721515efd6a00 | 2020-06-24 | 2021-05-24 |
| HASH | b8406b91b0eb57267f192a1aee6d3ee0 | 2020-06-24 | 2021-05-24 |
| HASH | db3c54038e0b2db2c058a5e9761e4819 | 2020-06-24 | 2021-05-24 |
| HASH | d3d32225bf893ccc62dee9d833fe04f2 | 2020-06-24 | 2021-05-24 |
| HASH | 17d97dca939836fe4eeb61eac371960f | 2020-06-24 | 2021-05-24 |
| HASH | cd0a391331c1d4268bd622080ba68bce | 2020-06-24 | 2021-05-24 |
| HASH | c869b0fe739d0626e4474eea980dd018 | 2020-06-24 | 2021-05-24 |
| HASH | a9c5355fce2bd42e5cb3cd1fe6c375f1 | 2020-06-24 | 2021-05-24 |
| HASH | 45123dac5e13cebe1dc7fc95afd9c63e | 2020-06-24 | 2021-05-24 |
| HASH | c509890d250d6e986e3c3654aa5cea26 | 2020-06-24 | 2021-05-24 |
| HASH | c5d9a6478b9b68c213301cb81cbd3833 | 2020-06-24 | 2021-05-24 |
| HASH | 5bb049c31f5fb8c4a076def3efb91177 | 2020-06-24 | 2021-05-24 |
| DOMAIN | googleupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | chromeupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | 1driv.org | 2020-06-24 | 2021-05-24 |
| DOMAIN | onedriveupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | uploadsfiles.xyz | 2020-06-24 | 2021-05-24 |
| IPv4 | 66.181.166.15 | 2020-06-24 | 2021-05-24 |
| DOMAIN | drivegooglshare.xyz | 2020-05-06 | 2021-05-24 |
| DOMAIN | msupdatepms.xyz | 2020-04-02 | 2021-05-24 |
| DOMAIN | mskpupdate.publicvm.com | 2019-07-09 | 2021-05-24 |
| DOMAIN | drivegoogle.publicvm.com | 2019-07-09 | 2021-05-24 |
| HASH | bbd703f0d6b1cad4ff8f3d2ee3cc073c | 2017-04-03 | 2021-05-24 |