The Slow Fog Security Team Reveals the Intrusion Tactics of the Lazarus Group

Original Title: “Cryptocurrency APT Intelligence: Unveiling Lazarus Group's Intrusion Techniques”

Author: 23pds & Thinking (Slow Mist Security Team)

Compiled by: lenaxin, ChainCatcher

Background

Since June 2024, the Slow Mist Security Team has received invitations from multiple teams to conduct forensic investigations into several hacking incidents. After accumulating preliminary data and conducting an in-depth analysis over the past 30 days, we have completed a review of the hacking techniques and intrusion paths. The results indicate that this is a nation-state APT attack targeting cryptocurrency exchanges. Through forensic analysis and correlation tracking, we confirmed that the attackers are indeed the Lazarus Group.

After obtaining relevant IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures), we promptly shared this intelligence with our partners. We also discovered that other partners had encountered the same attack methods and intrusion techniques. However, they were relatively fortunate—during the intrusion process, the hackers triggered some security alerts, and with the timely response of the security teams, the attack was successfully thwarted.

Given the recent ongoing APT attacks against cryptocurrency exchanges, the situation has become increasingly severe. After communicating with relevant parties, we decided to desensitize and publicly release the IOCs and TTPs of the attacks so that community partners can defend and self-check in a timely manner. Meanwhile, due to confidentiality agreements, we cannot disclose too much specific information about our partners. Next, we will focus on sharing the IOCs and TTPs of the attacks.

Attacker Information

Attacker Domains:

• gossipsnare[.]com, 51.38.145.49:443
• showmanroast[.]com, 213.252.232.171:443
• getstockprice[.]info, 131.226.2.120:443
• eclairdomain[.]com, 37.120.247.180:443
• replaydreary[.]com, 88.119.175.208:443
• coreladao[.]com
• cdn.clubinfo[.]io

IPs Involved in the Incidents:

• 193.233.171[.]58
• 193.233.85[.]234
• 208.95.112[.]1
• 204.79.197[.]203
• 23.195.153[.]175

Attackers' GitHub Usernames:

• https://github.com/mariaauijj
• https://github.com/patriciauiokv
• https://github.com/lauraengmp

Attackers' Social Accounts:

• Telegram: @tanzimahmed88

Backdoor Program Names:

• StockInvestSimulator - main.zip
• MonteCarloStockInvestSimulator - main.zip
• Similar … StockInvestSimulator - main.zip, etc.

Real Project Code:

(https://github.com/cristianleoo/montecarlo-portfolio-management)

Attackers' Altered Fake Project Code:

Upon comparison, it can be found that the data directory has an additional data_fetcher.py file, which contains a strange Loader:

![](https://admin2049.chaincatcher.info/upload/image/20250224/1740373839972-802342.webp)

Backdoor Techniques Used by Attackers

The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed the detection of most antivirus software. After synchronizing intelligence with partners, we obtained multiple similar malicious samples.

Key Technical Analysis Reference: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation#how-to-disable-the-warning

The Slow Mist Security Team successfully reproduced the attack technique used by the attackers to perform RCE (Remote Code Execution) using pyyaml through in-depth analysis of the samples.

Key Analysis of the Attack

Objectives and Motives

Objective: The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency exchanges, thereby illegally transferring large amounts of cryptocurrency assets from the wallets.

Motive: Attempting to steal high-value cryptocurrency assets.

Technical Means

1. Initial Intrusion

• The attackers used social engineering techniques to deceive employees into executing seemingly normal code on local devices or within Docker.
• In this investigation, we found that the malware used by the attackers included StockInvestSimulator - main.zip and MonteCarloStockInvestSimulator - main.zip. These files masquerade as legitimate Python projects but are actually remote control Trojans, and the attackers utilized pyyaml for RCE as a means of delivering and executing malicious code, bypassing detection by most antivirus software.

1. Privilege Escalation

• The attackers successfully gained local control over employees' devices through the malware and deceived employees into setting the privileged option to true in docker-compose.yaml.
• The attackers further escalated privileges under the condition of the privileged option being set to true, thereby gaining complete control over the target devices.

1. Internal Reconnaissance and Lateral Movement

• The attackers utilized the compromised employee computers to scan the internal network.
• Subsequently, the attackers exploited vulnerabilities in internal services and applications to further infiltrate the company's internal servers.
• The attackers stole SSH keys from critical servers and leveraged the whitelist trust relationships between servers to achieve lateral movement to the wallet servers.

1. Cryptocurrency Asset Transfer

• After successfully gaining control over the wallets, the attackers illegally transferred large amounts of cryptocurrency assets to their controlled wallet addresses.

1. Covering Tracks

• The attackers used legitimate corporate tools, application services, and infrastructure as a springboard to obscure the true source of their illegal activities and deleted or destroyed log data and sample data.

Process

The attackers deceived the targets through social engineering, common methods include:

1. Posing as project representatives, seeking key target developers for help debugging code, and expressing willingness to pay in advance to gain trust.

After tracking relevant IP and UA information, we found that this transaction was a third-party payment with little value.

2. The attackers posed as automated trading or investment personnel, providing trading analysis or quantitative code, deceiving key targets into executing malicious programs. Once the malicious program runs on the device, it establishes a persistent backdoor and provides the attackers with remote access.

• The attackers utilized the compromised devices to scan the internal network, identifying key servers and further penetrating the corporate network by exploiting vulnerabilities in enterprise applications. All attack activities were conducted through the VPN traffic of the compromised devices, thereby bypassing detection by most security devices.
• Once the attackers successfully gained access to the relevant application servers, they would steal the SSH keys from critical servers, using the permissions of these servers to perform lateral movement, ultimately controlling the wallet servers and transferring cryptocurrency assets to external addresses. Throughout the process, the attackers cleverly utilized internal corporate tools and infrastructure, making their attack activities difficult to detect quickly.
• The attackers would deceive employees into deleting the debugging programs they ran and offer debugging rewards to cover up the traces of the attack.

Additionally, some deceived employees, fearing accountability, might proactively delete relevant information, leading to delays in reporting the incident and making investigation and evidence collection more challenging.

Recommendations for Response

APT (Advanced Persistent Threat) attacks are highly difficult to defend against due to their concealment, clear objectives, and long-term infiltration characteristics. Traditional security measures often struggle to detect their complex intrusion behaviors. Therefore, it is necessary to combine multi-layered network security solutions, such as real-time monitoring, anomaly traffic analysis, endpoint protection, and centralized log management, to detect and perceive the traces of attackers' intrusions early and effectively respond to threats. The Slow Mist Security Team proposes eight major defense directions and recommendations, hoping to provide reference for community partners in defense deployment:

1. Network Proxy Security Configuration

Objective: Configure security policies on network proxies to achieve security decision-making and service management based on a zero-trust model.

Solutions: Fortinet (https://www.fortinet.com/), Akamai (https://www.akamai.com/glossary/where-to-start-with-zero-trust), Cloudflare (https://www.cloudflare.com/zero-trust/products/access/), etc.

2. DNS Traffic Security Protection

Objective: Implement security controls at the DNS layer to detect and block requests resolving known malicious domains, preventing DNS spoofing or data leakage.

Solutions: Cisco Umbrella (https://umbrella.cisco.com/), etc.

3. Network Traffic/Host Monitoring and Threat Detection

Objective: Analyze the data flow of network requests, monitor abnormal behaviors in real-time, and identify potential attacks (e.g., IDS/IPS), install HIDS on servers to detect attackers' exploitations early.

Solutions: SolarWinds Network Performance Monitor (https://www.solarwinds.com/), Palo Alto (https://www.paloaltonetworks.com/), Fortinet (https://www.fortinet.com/), Alibaba Cloud Security Center (https://www.alibabacloud.com/zh/product/security_center), GlassWire (https://www.glasswire.com/), etc.

4. Network Segmentation and Isolation

Objective: Divide the network into smaller, isolated areas to limit the spread of threats and enhance security control capabilities.

Solutions: Cisco Identity Services Engine (https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html), cloud platform security group policies, etc.

5. System Hardening Measures

Objective: Implement security hardening strategies (e.g., configuration management, vulnerability scanning, and patch updates) to reduce system vulnerabilities and enhance defense capabilities.

Solutions: Tenable.com (https://www.tenable.com/), public.cyber.mil (https://public.cyber.mil), etc.

6. Endpoint Visibility and Threat Detection

Objective: Provide real-time monitoring of endpoint device activities, identify potential threats, support rapid response (e.g., EDR), set application whitelisting mechanisms, and discover abnormal programs with timely alerts.

Solutions: CrowdStrike Falcon (https://www.crowdstrike.com/), Microsoft Defender for Endpoint (https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint), Jamf (https://www.jamf.com/) or WDAC (https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac), etc.

7. Centralized Log Management and Analysis

Objective: Integrate log data from different systems into a unified platform for tracking, analyzing, and responding to security incidents.

Solutions: Splunk Enterprise Security (https://www.splunk.com/), Graylog (https://graylog.org/), ELK (Elasticsearch, Logstash, Kibana), etc.

8. Cultivating Team Security Awareness

Objective: Raise security awareness among organizational members, enabling them to recognize most social engineering attacks and proactively report anomalies after incidents for timely investigation.

Solutions: Blockchain Dark Forest Self-Rescue Manual (https://darkhandbook.io/), Web3 Phishing Techniques Analysis (https://github.com/slowmist/Knowledge-Base/blob/master/security-research/Web3%20%E9%92%93%E9%B1%BC%E6%89%8B%E6%B3%95%E8%A7%A3%E6%9E%90.pdf), etc.

Additionally, we recommend periodically conducting red-blue team drills to identify weaknesses in security process management and defense deployment.

In Conclusion

Attack incidents often occur during weekends and traditional holidays, posing significant challenges for incident response and resource coordination. Throughout this process, members of the Slow Mist Security Team, including 23pds (Shan Ge), Thinking, Reborn, and others, remained vigilant, taking turns for emergency response during holidays to continuously advance investigation and analysis. Ultimately, we successfully restored the attackers' techniques and intrusion paths.

Reflecting on this investigation, we not only revealed the attack methods of the Lazarus Group but also analyzed their series of tactics involving social engineering, exploitation, privilege escalation, internal penetration, and fund transfer. At the same time, we summarized defense recommendations against APT attacks based on actual cases, hoping to provide references for the industry and help more organizations enhance their security capabilities and reduce the impact of potential threats. Cybersecurity defense is a protracted battle, and we will continue to monitor similar attacks, assisting the community in jointly resisting threats.