Group-IB研究人员发现了朝鲜黑客组织Lazarus-LazarusBTCChanger发起的加密货币窃取攻击。这是Lazarus组织首次使用JS嗅探器窃取加密货币。在这次活动中,Lazarus黑客还使用了与clientToken=活动相同的基础设施。2020年2月底,Group-IB研究人员发现Lazarus开始使用clientToken=活动中使用的恶意JS脚本的修改版本。新版JS脚本与原版同名,但银行卡收割功能已被加密货币窃取器取代,并开始攻击接受比特币支付的公司。Group-IB研究人员将新版本的恶意JS脚本命名为LazarusBTCChanger。攻击用攻击者的比特币地址替换了目标支付地址。、图1:LazarusBTCChanger部分源代码攻击者为了保存恶意JS文件,使用了被黑网站luxmodelagency[.]com。受感染网站中的内部JS文件也用于保存恶意JS。LazarusBTCChanger攻击活动受感染网站分析在分析LazarusBTCChanger时,研究人员发现了3个被黑网站,其中2个与clientToken=攻击活动相同,即“Realchems”(https://realchems.com/)和“王氏珠宝商”(https://www.wongsjewellers.co.uk/)。样本LazarusBTCChanger将传统JS嗅探器收集的银行卡信息替换为黑客拥有的比特币或以太坊地址。TheJScodecontainingBitcoinandEthereumaddressesisshowninFigure2:Figure2:LazarusBTCChangersamplecontainingBitcoinandEthereumaddressesBitcointransactionanalysisResearchersextractedtheattackersfromtheLazarusBTCChangersampletoreceive窃取资金的4个加密货币地址:0x460ab1c34e4388704c5e56e18D904Ed117D077CC1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evtaGroup-IB分析了与Lazarus控制的与比特币地址相关的交易,发现攻击者可能使用了CoinPayments.net。Theresearchersanalyzedthecashflowfromtheattacker’sBitcoinaddresstoaddress35dnPpcXMGEoWE1gerDoC5xS92SYCQ61y6andfound3transactionstoBitcoinwalletsownedbyCoinPayments.net.CoinPayments.netisapaymentgatewaythatallowsuserstotradeBitcoin,Ethereum,andothercryptocurrencies.Therefore,LazarusmayhaveusedCoinPayments.netforcryptocurrencyexchangesandtransferstoexternalcryptocurrencyaddresses.Intheory,thesite'sKYCrulescouldhelpidentifytheindividualsbehindtheattack.WalletAnalysisJudgingfromtheextractedBitcoinaddresses,theattackerhastransferred0.89993859BTCworth$526.11millionsofar.ThetwoBitcoinaddressesusedtostealfundsreceivedatotalof43transactions.JudgingfromtheextractedEthereumaddress,atotalof29transactionswerereceived,withatotalprofitof4.384719ETH,worth$9047.Formoretechnicaldetails,see:https://www.group-ib.com/blog/btc_changerThisarticleistranslatedfrom:https://www.group-ib.com/blog/btc_changer
