Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
RiskIQ collaborated with Proofpoint Cyber Security on research for a report published today investigating the activities of North Korea’s Lazarus Group, which highlights the group’s recent focus on cryptocurrency investors and exchanges. Earlier this year, the activities of the Lazarus group in South Korea were discussed and analyzed, as they managed to compromise accounts on various South Korean cryptocurrency exchanges. More recently, they were seen targeting a United Kingdom-based cryptocurrency exchange. In this blog, we will show and explain our analysis of the infrastructure used in the cyber attack described in the Proofpoint report.
In early November, Proofpoint uncovered a large active phishing campaign that sent out messages about fake Bitcoin Gold (BTG) wallet software. The actors abused IDN registration attempting to impersonate the official bitcoingold.org website using sender IDN domains and the decoded notations. Below are four examples of domain names registered for this campaign:
The domains shown above appeared in our crawl data, meaning we had a full copy of the webpage and any metadata present on it. We’ll take a look at xn--bitcingold-hcb.org which, in our data, looked identical to the genuine site:
Fig-1 Fake site looks just like the genuine
Fig-2 DOM captured by RiskIQ crawlers
The information above is really valuable to our investigation. As RiskIQ stores host pairs for sites that point to each other in a parent or child relationship. We can call upon this data set for the official Bitcoingold website and see at least two of the fake websites in its parent Host Pair set:
Fig-3 Host Pair data set inside RiskIQ PassiveTotal
Note: We filtered on parent relationships to see hosts that pointed to bitcoingold.org, not hosts bitcoingold linked to itself.
Fig-4 Button linking to an onclick event
The invoked script redirects the user to the file download:
Fig-5 The file download
The file downloaded here was seen with the following SHA256 hash: eab612e333baaec0709f3f213f73388607e495d8af9a2851f352481e996283f1
Besides Bitcoingold, the Lazarus group performed the same kind of IDN ‘attack’ against the Electrum Bitcoin wallet website. The actors created the IDN website, xn--electrm-s2a.org, to serve as a fake software installation page similar to the Bitcoingold clone:
Fig-6 Similar cyber attack on the Electrum exchange
Interestingly, Lazarus left some information in the source of the page that shows that they used the ‘HTTrack’ website copier tool, as well as the date (Friday, November 17th at 03:27:29 GMT as per our crawl data) they copied the Electrum website:
Fig-7 DOM captures showing some interesting info left behind by Lazarus
Defenders with access to internet data collected by crawlers can detect unknown threats at the source and track how they change and spread. Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context. As can be seen from the above analysis, RiskIQ’s crawling infrastructure, indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.
Interested in crawling specific parts of the Internet with RiskIQ technology? Now you can task our virtual users to work for you at scale. RiskIQ offers URL crawling through our Security Intelligence Services (SIS), so you can capture the same kind of data we used in this post. For more information and a quote, contact us today.
The following IOCs are those found by pivoting around the known hosts from the phishing emails and expanding our list this way. We have some suspected hosts that are potentially related to this campaign, but we don’t have proof (yet), these are not listed, but we will keep an eye out for any confirmed activity.
Below list does not include IOCs obtained from Proofpoint’s malware analysis, those are available in their report or from the full list of IOCs is available in our RiskIQ Community Project: https://community.riskiq.com/projects/03e1e06f-4644-3b0e-7721-682b928d2001?guest=true&_ga=2.250911174.117879041.1513562791-1318539965.1474487244
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521