SecurityScorecard’s ongoing investigation into recent cyber attacks by North Korea’s Lazarus group has revealed a hidden administrative layer that the threat actor has been using to centrally manage their command and control (C2) infrastructure. This infrastructure allows Lazarus to oversee compromised systems, control payload delivery, and manage exfiltrated data. The group has been utilizing a Web-based admin platform across multiple campaigns, including one where they posed as IT workers to target software developers.
Despite implementing elaborate operational security measures to avoid detection, SecurityScorecard was able to link Lazarus to the global operation targeting the cryptocurrency industry with confidence. The campaign, dubbed “Operation Phantom Circuit,” resulted in numerous victims downloading and executing malicious payloads, while their data was being sent back to North Korea. Through their investigation of “Operation 99,” SecurityScorecard uncovered the Phantom Circuit admin layer and identified how Lazarus members were using VPNs and proxies to access their C2 infrastructure discreetly.
According to Ryan Sherstobitoff, SecurityScorecard’s senior vice president of threat intelligence, Lazarus’ motivation is two-fold: cryptocurrency theft and corporate network infiltration. Victims who unknowingly execute the cloned code end up compromising their corporate devices and environments, allowing the threat actor to steal development secrets. To manage the stolen information from Operation 99, Lazarus members utilized a sophisticated network of VPNs and proxies, including Astrill, known for enabling anonymous Web browsing and circumventing Internet restrictions.
SecurityScorecard researchers discovered that Lazarus actors used Astrill VPNs to connect to an intermediate proxy network in Russia before accessing Operation 99’s C2 infrastructure. By concealing their tracks through multiple layers, including a potential fictional entity called “Stark Industries, LLC,” the threat actor attempted to obfuscate their true origin. The use of relay/proxy IP addresses further obscured their connections, with SecureScorecard identifying six distinct IP addresses in Pyongyang used for Astrill VPN connections.
Sherstobitoff noted that Phantom Circuit serves as the operational network connecting back to Pyongyang and was also used in another Lazarus campaign where members impersonated IT workers to infiltrate organizations. The complex infrastructure and tactics employed by the threat actor demonstrate a high level of sophistication and coordination in their cyber operations. SecurityScorecard’s findings shed light on the evolving threat landscape posed by state-sponsored threat actors like Lazarus and highlight the importance of robust cybersecurity measures to defend against such attacks.