Lazarus Targets Cryptocurrency industries using Electron programs

Summary

APT-C-26 (Lazarus) is a highly active and sophisticated threat actor that targets financial institutions, cryptocurrency platforms, government agencies, and industries like aerospace and military to steal funds and sensitive data. Their attack arsenal includes phishing, network attacks, ransomware, and cross-platform malware affecting Windows, Linux, and MacOS. Recently, they leveraged Electron-based malware disguised as an automated trading tool installer for cryptocurrency platforms. The malware appears legitimate but executes malicious payloads in the background, employing multi-layered obfuscation techniques.

Technical Detail

The 360 Threat Intelligence Center recently published an article exposing the tactics used by the Lazarus group in their latest attack campaigns. They analyzed a malicious program disguised as an installation package for a cryptocurrency trading tool, which was created using Electron. This program targeted individuals in the cryptocurrency industry, executing malicious payloads in the background while appearing to perform legitimate functions.

In this campaign, the Lazarus group targeted the uniswap-sniper-bot project by injecting malicious code and packaging it into an executable file using Electron for delivery. Once users run the file, it downloads and executes additional malicious components to steal sensitive information. Previously, the group has employed similar tactics by poisoning repositories like PyPI, Node.js projects, and video software. While this article focuses on the uniswap-sniper-bot attack, as shown in Figure 1, the overall attack flow remains consistent across their campaigns.

Recently, the Lazarus group delivered a malicious sample with the following details: the file, named uniswap-sniper-bot-with-guiSetup1.0.0.exe, has an MD5 hash of 48c179680e0b37d0262f7a402860b2a7 and a size of 70.68 MB (74110128 bytes). The sample demonstrates strong evasion capabilities, as only a few antivirus engines on VirusTotal detect it as malicious.

When executed, the program installs uniswap-sniper-bot normally to deceive users into believing it is legitimate. The uniswap-sniper-bot-with-gui project, hosted on GitHub (https://github[.]com/meta-dapp/uniswap-sniper-bot), is an open-source automated trading tool designed for decentralized exchange (DEX) platforms. It is commonly used to automate the purchase of newly launched tokens or quickly acquire popular tokens.

During the installation process, the sample executes malicious code in the background. A detailed analysis revealed that the sample was packaged and compiled using Electron, an open-source framework that integrates Chromium and Node.js. This framework enables developers to create desktop applications using web technologies and supports multiple platforms, including Windows, macOS, and Linux. This indicates that the Lazarus group possesses the capability to target a wide range of operating systems. To analyze the Electron program, the executable file is first decompressed to locate the app.asar file, which can then be decompiled. The figure below shows the content of app.asar.

Analysis and comparison revealed that the TokenHash.js script, located in the \src\helpers directory, was loaded by profits.js, which in turn was loaded by main.js. Interestingly, a comparison with the official source code of uniswap-sniper-bot showed that TokenHash.js was not originally part of the project, confirming it as malicious code introduced by the Lazarus group. Upon examining the file, it was evident that the script was heavily obfuscated, unlike previous attacks attributed to this group. This indicates that the attackers are actively enhancing their payload sophistication. After de-obfuscating TokenHash.js, the code was found to define multiple extension IDs for browser-based crypto wallets. The script targets wallet data stored in default paths for Brave, Chrome, and Opera browsers, exfiltrating this data to hxxp://86.104.74[.]51:1224/uploads

It also downloads a Python installation package from http://86.104.74[.]51:1224/pdown to enable further code execution and retrieves an additional payload from http://86.104.74[.]51:1224/client/7/702, saving it as %userprofile%\.sysinfo for execution.

The .sysinfo file is a Python script that, after 49 layers of decoding and decompression, revealed its true purpose as a downloader. Its role is to retrieve plugins from 86.104.74[.]51 for subsequent attack operations. The functionality of these plugins matches those observed in prior payloads linked to Lazarus, and given their similarity to previously documented cases, only a brief analysis is provided here.

The Lazarus group utilizes multiple malicious plugins to carry out their attack operations, each serving a specific purpose:

Plugin 1:

Downloaded from http://86.104.74[.]51:1224/payload/7/702, it is saved locally as %userprofile%.n2\pay. This plugin's functions include host monitoring, file theft, executing shell commands, and configuring remote access tools like AnyDesk

Plugin 2:

Retrieved from http://86.104.74[.]51:1224/bow/7/702, it is stored as %userprofile%.n2\bow. The primary purpose of this plugin is to extract sensitive data from browsers, including Chrome, Brave, Opera, Yandex, and Microsoft Edge.

Plugin 3:

Downloaded from http://86.104.74[.]51:1224/mclip/7/702, it is saved as %userprofile%.n2\mlip. This plugin's functionality includes keylogging, clipboard monitoring, and observing active windows

Conclusion

The Lazarus group’s recent campaigns demonstrate their advanced technical capabilities and evolving tactics. By using Electron to package malicious payloads, embedding obfuscated scripts, and deploying a series of plugins, they effectively target and steal sensitive information across various platforms. Their ability to manipulate browsers like Chrome, Brave, Opera, and Microsoft Edge for data theft, combined with functionalities like keylogging, clipboard monitoring, and system surveillance, showcases a multi-faceted approach to compromise systems. This highlights the group's persistent nature and the complexity of their attack methods.