Cyber Emergency Center Report English Edition
The shadow behind Cryptocurrency Stealing Attacks

The Cyber Emergency Center report describes incident trends and responses for the last quarter, based on the results of incident responses and forensic investigations handled by the Cyber Emergency Center.
This special edition is focused on the findings of cyber adversary group.

Executive Summary

In the context of dealing with cyber-incidents conducted by a specific adversary, we usually conclude the source of threat based on Tactics, Techniques and Procedures (TTP) that is relied on the artifacts, tools they use, and other aspect and specific activity recorded in their series of monitors incidents.

In this report we are coming into conclusion about the existence of a cyber adversary group, "we dub it as HYDSEVEN", which has been leaving several trails in their offensive actions to their targets on the usage of Russian language environment, that can be confirmed since 2016.

There is so few information or reference about this adversary. We analyzed their incidents by following their activities in aiming their specific targeted sectors, for achieving their ultimate goal, which is illegally acquiring cryptocurrency values (Crypto Asset). So far, the adversary has been succeeded in compromising many cryptocurrency exchange systems in multiple countries including Japan, Poland, etc. The rough amount of damage at cryptocurrency exchange stolen by this adversary was announced to be $882 million, and we believe the number is bigger due to the activity of the actors are still on going until now.

It has been reported also that a cyber threat adversary group called Lazarus is involved in the most of above mentioned incidents. That fact was also being stated in the letter^* from cyber security experts to the President of the UN Security Council that was pointing to the group as the organization allegedly responsible to the incidents in the Japanese cryptocurrency exchange that has been occurred some times ago.

However, the facts that have been collected from our investigation stated differently. Yes, HYDSEVEN and Lazarus use similar method in their offensive activities, but they use different malwares respectively. Until the time this report is released Lazarus group did not use any of final stage malware variants described it in this report.

The possibility of an adversary tried to copy other's well-known adversary's TTP in order to cover up their original trace is not a new issue in targeted attack cases on cyber threat, and nowadays there are several state sponsor actors who had done that TTP-copycat too. We believe this might be the case, where some adversary may try to blame Lazarus on this matter, or even maybe a case where Lazarus tries to blame other countries. The point is we have to be very careful to not point or concluding anything until we are in state of beyond any reasonable doubt beforehand.

Since the purpose of this report is to help people in security community to improve their security measure by reassessing their defense, readjusting their perimeter or detection to be more protected against this threat accordingly, we hope our information collected from technical point of view will be useful for you.

* Letter dated 1 February 2019 from the Panel of Experts established pursuant to resolution 1874 (2009) addressed to the Chair of the Security Council Committee established pursuant to resolution 1718 (2006)
(https://undocs.org/pdf?symbol=en/S/2019/171)

Contents

The shadow behind Cryptocurrency StealingContents

• Introduction
• Cryptocurrency Stealing Incidents Timeline
   Activity summary of HYDSEVEN
• Threat Summary
   Three attack methods "VBA macro" "software vulnerability" "fake installer"
• Post-Exploitation Malware
   Features of two malware "NetWire" and "Ekoms (Mokes)"
• C2 Infrastructure
   Overseas server used for attack
• Adversary Background
   Two footprints "Decoy Document File" "Code Signing Certificate"
• Detection or Mitigation
• Conclusion
• Indicator-of-Compromise (IOC)

■ Paper Update Information

Below is the list of the updated details that have been performed for this paper.

Edited on: October 1, 2019
Details:

Page 11
Previous:
(NetWire on 32bit and NetWire on 64bit) as the payload

Current:
(NetWire) as the payload