{"id":43087,"date":"2021-05-24T18:57:04","date_gmt":"2021-05-24T15:57:04","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=43087"},"modified":"2025-08-31T02:03:25","modified_gmt":"2025-08-30T23:03:25","slug":"report-lazarus-hackers-behind-cryptocore-attacks-on-bitcoin-exchanges","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/report-lazarus-hackers-behind-cryptocore-attacks-on-bitcoin-exchanges\/","title":{"rendered":"Report: Lazarus hackers behind CryptoCore attacks on Bitcoin exchanges"},"content":{"rendered":"<p>The Lazarus hacking group, linked to the North Korean authorities, has for several years been compromising Bitcoin exchanges worldwide under the banner of CryptoCore. <a href=\"https:\/\/www.clearskysec.com\/cryptocore-lazarus-attribution\/\" target=\"_blank\" rel=\"noopener\">arrived at<\/a> this conclusion, security researchers from ClearSky said.<\/p>\n<p>The attackers drained wallets of users and trading-platform staff through targeted phishing. In interactions with victims, the hackers urged them to download a malicious file.<\/p>\n<p>Experts from ClearSky compared reports of these attacks from F-Secure, CERT JPCERT\/CC and NTT Security. In addition to similarities in behavior and the original code, the CryptoCore malware exhibits distinctive traits contained in [simple_tooltip content=&#8217;tool for identifying and classifying malware&#8217;]YARA rules[\/simple_tooltip] by ESET and Kaspersky for Lazarus.<\/p>\n<div id=\"attachment_136468\" style=\"width: 1434px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-136468\" class=\"size-full wp-image-136468\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara.jpeg\" alt=\"Report: Lazarus hackers behind CryptoCore attacks on Bitcoin exchanges\" width=\"1424\" height=\"363\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara.jpeg 1424w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara-300x76.jpeg 300w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara-1024x261.jpeg 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara-768x196.jpeg 768w\" sizes=\"auto, (max-width: 1424px) 100vw, 1424px\" \/><\/p>\n<p id=\"caption-attachment-136468\" class=\"wp-caption-text\">The YARA rule matches the Lazarus RAT in the ESET report. Data: ClearSky.<\/p>\n<\/div>\n<p>One of the YARA rules corresponds to an old remote access Trojan (RAT) that Kaspersky reported in 2016.<\/p>\n<div id=\"attachment_136469\" style=\"width: 1340px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-136469\" class=\"size-full wp-image-136469\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara2.jpeg\" alt=\"Report: Lazarus hackers behind CryptoCore attacks on Bitcoin exchanges\" width=\"1330\" height=\"156\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara2.jpeg 1330w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara2-300x35.jpeg 300w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara2-1024x120.jpeg 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreRAT_Yara2-768x90.jpeg 768w\" sizes=\"auto, (max-width: 1330px) 100vw, 1330px\" \/><\/p>\n<p id=\"caption-attachment-136469\" class=\"wp-caption-text\">Data: ClearSky.<\/p>\n<\/div>\n<p>Overall, between F-Secure, NTT Security and JPCERT\/CC reports, ClearSky found 40 common indicators of compromise (IoCs), a nearly identical VBS script, and similar RATs and stagers.<\/p>\n<div id=\"attachment_136470\" style=\"width: 1357px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-136470\" class=\"size-full wp-image-136470\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreVBS.jpeg\" alt=\"Report: Lazarus hackers behind CryptoCore attacks on Bitcoin exchanges\" width=\"1347\" height=\"436\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreVBS.jpeg 1347w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreVBS-300x97.jpeg 300w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreVBS-1024x331.jpeg 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/LazarusCryptoCoreVBS-768x249.jpeg 768w\" sizes=\"auto, (max-width: 1347px) 100vw, 1347px\" \/><\/p>\n<p id=\"caption-attachment-136470\" class=\"wp-caption-text\">Lazarus VBS script used in several campaigns. Data: ClearSky.<\/p>\n<\/div>\n<blockquote>\n<p>&#8220;Taking all similarities into account, ClearSky attributes the CryptoCore campaign to Lazarus with a high degree of probability,&#8221; according to the conclusion.<\/p>\n<\/blockquote>\n<p>CryptoCore began operating in mid-2018. During this period it hacked cryptocurrency exchanges in the United States, Israel, Europe and Japan.<\/p>\n<p>According to ClearSky, by June 2020 the hackers&#8217; activities had caused about $200 million in losses in cryptocurrency.<\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\"https:\/\/t.me\/forklogfeed\" target=\"_blank\" rel=\"nofollow noopener\">ForkLog Feed<\/a> \u2014 the full news feed, <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener\">ForkLog<\/a> \u2014 the most important news, infographics, and opinions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Lazarus hacking group, linked to North Korean authorities, has for several years been compromising Bitcoin exchanges worldwide under the CryptoCore banner.<\/p>\n","protected":false},"author":1,"featured_media":43088,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1125],"class_list":["post-43087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-lazarus"],"aioseo_notices":[],"amp_enabled":true,"views":"19","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=43087"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43087\/revisions"}],"predecessor-version":[{"id":43089,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43087\/revisions\/43089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/43088"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=43087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=43087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=43087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}