SlowMist: The CEX Hack Was Carried Out by North Korean Lazarus Group, Whose Attack Methods Have Been Exposed

BlockBeats News, February 23, SlowMist founder Cosmos released a post stating, "Through forensic analysis and correlation tracking, we have confirmed that the attacker is indeed the North Korean hacker group Lazarus Group. This is a nation-state level APT attack targeting cryptocurrency exchanges. We have decided to share the related IOCs (Indicators of Compromise), including some exploited IP addresses of cloud service providers and proxies. It is worth noting that this disclosure does not specify which platform or platforms are involved, and it is not mentioned that it is Bybit. However, if there are similarities, it is not impossible."

"The attacker used pyyaml to perform RCE (Remote Code Execution), enabling the delivery of malicious code to take control of the target's computers and servers. This method bypasses the detection of most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attacker is to compromise the infrastructure of cryptocurrency exchanges to gain control of wallets and illegally transfer a large amount of cryptocurrency assets from the wallets."

"SlowMist's summary article revealed Lazarus Group's attack methods, analyzed its tactics using social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfers. Based on actual cases, defense recommendations against APT attacks were summarized, hoping to provide industry references to help more organizations enhance their security defenses and reduce the impact of potential threats."