North Korean threat actors, known as the Lazaro Group, have supervised the command and control (C2) infrastructure using the “Web -based management platform” and gain the ability to supervise all aspects of the campaign. Masu.
“Each C2 server has hosted a web -based management platform built with the React application and the Node.js API,” said the SecurityScorecard strike team in a new report shared with hacker news. “This administrative layer was consistent with all analyzed C2 servers, even if the attacker changed the payload and obfuscation technology to avoid detection.”
The hidden framework is described as a comprehensive system and hub that allows attackers to organize and manage the peeling data, maintain infringed host monitoring, and process payload distribution.
The web -based administrator panel is related to a supply chain attack campaign called a phantom circuit operation for cryptocurrency sector and developers around the world, using a legitimate software package, including the backdoor. Is specified.
The campaign held between September 2024 and January 2025 is estimated to have asserted 233 victims around the world, mostly identified in Brazil, France and India. In January alone, this activity targeted the unique victims of 110 India.
The Lazaro Group becomes a social engineering expert, uses Linkedin to seduce future targets and seduces as a initial infection vector, pretending to be a collaborative collaboration of advantageous employment opportunities and cryptographic projects.
The link of operation to Pyongyang is due to the discovery of six North Korean IP addresses that had previously been connected due to the use of ASTLILL VPN, which had previously been linked to the fraudulent information technology (IT) worker scheme. 。 ASTLILL VPN EXIT Node and Oculus Proxy Points.
“The difficult -to -read traffic has ultimately reached the C2 infrastructure hosted by the Stark Industries server. These servers have promoted payload distribution, victim management, and data removal,” SecurityScorecard said SecurityScorecard. I mentioned it.
Further analysis of the administrator component has revealed that threat actors can display expansion data from the victims, as well as interest searches and filters.
“By embedding a difficult backdoor in a legal software package, Lazaros implements an application that has infringed users and removes sensitive data via a command and control (C2) server via port 1224. The company has been able to manage the victims. “
“The infrastructure of the campaign has influenced more than 233 victims around the world, utilizing the reaction -based web advanced panel and Node.js API hidden for the concentration of stolen data. 。 Intermediate proxy.
Source link
