Researchers Uncover Lazarus Group Admin Layer for C2 Servers
Summary:
SecurityScorecard's investigation into Lazarus Group’s recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure. This platform enables Lazarus to maintain oversight of compromised systems, control payload distribution, and manage exfiltrated data efficiently. The same web-based admin platform has also been used in other campaigns, including those involving the impersonation of IT workers. Despite implementing sophisticated operational security measures, Lazarus was definitively linked to North Korea. SecurityScorecard determined that the group's campaigns led to hundreds of victims unknowingly executing malicious payloads, allowing stolen data to be funneled back to Pyongyang.
As part of Operation 99, Lazarus operatives posed as recruiters on LinkedIn and other job platforms, luring software developers into cloning seemingly benign GitHub repositories that contained data-stealing malware. These infected repositories connected to Lazarus's C2 infrastructure, enabling them to infiltrate corporate environments and steal sensitive development secrets. More than 230 victims have reportedly downloaded these malicious payloads. The group's motivations appear to be twofold: cryptocurrency theft and corporate infiltration. Developers who fell for the scheme often executed the compromised code on work devices, exposing corporate networks to Lazarus’s backdoors.
Security Officer Comments:
Further analysis revealed that the group used a complex web of Astrill VPNs and proxy networks, including one registered to a Russian freight company in Hasan, to obscure their true location. The C2 servers were hosted under a likely fictitious company, Stark Industries, LLC. However, SecurityScorecard was able to trace six distinct IP addresses in Pyongyang initiating the Astrill VPN connections, directly linking Phantom Circuit to North Korea. Notably, the same proxy network was also used in another Lazarus campaign where stolen identities were leveraged to impersonate IT workers and infiltrate organizations.
Suggested Corrections:
Operation Phantom Circuit highlights the critical need for organizations to secure their software supply chains. STRIKE recommends the following measures to mitigate risks:
https://securityscorecard.com/wp-co...peration-Phantom-Circuit-Report_012725_03.pdf
SecurityScorecard's investigation into Lazarus Group’s recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure. This platform enables Lazarus to maintain oversight of compromised systems, control payload distribution, and manage exfiltrated data efficiently. The same web-based admin platform has also been used in other campaigns, including those involving the impersonation of IT workers. Despite implementing sophisticated operational security measures, Lazarus was definitively linked to North Korea. SecurityScorecard determined that the group's campaigns led to hundreds of victims unknowingly executing malicious payloads, allowing stolen data to be funneled back to Pyongyang.
As part of Operation 99, Lazarus operatives posed as recruiters on LinkedIn and other job platforms, luring software developers into cloning seemingly benign GitHub repositories that contained data-stealing malware. These infected repositories connected to Lazarus's C2 infrastructure, enabling them to infiltrate corporate environments and steal sensitive development secrets. More than 230 victims have reportedly downloaded these malicious payloads. The group's motivations appear to be twofold: cryptocurrency theft and corporate infiltration. Developers who fell for the scheme often executed the compromised code on work devices, exposing corporate networks to Lazarus’s backdoors.
Security Officer Comments:
Further analysis revealed that the group used a complex web of Astrill VPNs and proxy networks, including one registered to a Russian freight company in Hasan, to obscure their true location. The C2 servers were hosted under a likely fictitious company, Stark Industries, LLC. However, SecurityScorecard was able to trace six distinct IP addresses in Pyongyang initiating the Astrill VPN connections, directly linking Phantom Circuit to North Korea. Notably, the same proxy network was also used in another Lazarus campaign where stolen identities were leveraged to impersonate IT workers and infiltrate organizations.
Suggested Corrections:
Operation Phantom Circuit highlights the critical need for organizations to secure their software supply chains. STRIKE recommends the following measures to mitigate risks:
- Package Verification: Validate the integrity of software updates using cryptographic checksums or signatures.
- Network Monitoring: Analyze connections to uncommon ports, such as 1224 and 1245, associated with malicious activity.
- Proxy Detection: Identify and block suspicious proxy usage, particularly from commercial services linked to malicious campaigns.
- Development Tool Audits: Regularly review and update development tools to identify and mitigate vulnerabilities.
- Remote Access Scrutiny: Monitor for persistent Remote Desktop Protocol (RDP) sessions that could indicate unauthorized access.
https://securityscorecard.com/wp-co...peration-Phantom-Circuit-Report_012725_03.pdf