Lazarus BTC Changer: Back in action with JS sniffers redesigned to steal crypto
2021-04-14 • Group-IB •
Group-IB links Lazarus to BTC Changer, a modified JavaScript sniffer campaign that shifted from stealing payment-card data to stealing cryptocurrency payments from e-commerce sites. The researchers connect BTC Changer to the earlier clientToken= infrastructure by shared compromised websites and similar script functions, while noting that the new version replaced shop BTC or ETH destination addresses with attacker-controlled wallets. The campaign affected online stores including Realchems and Wongs Jewellers, and reused luxmodelagency[.]com to host malicious JavaScript. Group-IB also observed a fake payment form opened in an iframe and a Korean-locale artifact in the saved form, adding attribution context to the Lazarus assessment.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | fb3f47bbd5fe5b7a89f7305688823cd… | 2021-04-14 | 2021-04-14 |
| HASH | e889dc3c95d160c30d675351e6ba105… | 2021-04-14 | 2021-04-14 |
| HASH | c8f27cf9b6fe3de41642c75f64ce955… | 2021-04-14 | 2021-04-14 |
| HASH | 06ac32672777f4b7b3e890a9afabde9… | 2021-04-14 | 2021-04-14 |
| HASH | d36a330038c7ec5b04c6e5da4207108… | 2021-04-14 | 2021-04-14 |
| HASH | 51043929f82412a87be8fc315f73c0f… | 2021-04-14 | 2021-04-14 |
| HASH | 79570a46d94301c0b89a8fd0539b077… | 2021-04-14 | 2021-04-14 |
| DOMAIN | coinpayments.net | 2021-04-14 | 2021-04-14 |
| DOMAIN | signedbooksandcollectibles.com | 2020-07-06 | 2021-04-14 |
| DOMAIN | technokain.com | 2020-07-06 | 2021-04-14 |
| DOMAIN | stefanoturco.com | 2020-07-06 | 2021-04-14 |
| DOMAIN | luxmodelagency.com | 2020-07-06 | 2021-04-14 |
| DOMAIN | areac-agr.com | 2019-12-17 | 2021-04-14 |
| DOMAIN | darvishkhan.net | 2019-07-02 | 2021-04-14 |