Chinese security service provider 360 Security warns that a large number of crypto exchanges have been targeted by the North Korean hacker group Lazarus, and the number is still counting after a series of recent infamous hacking on crypto exchanges DragonEx, Etbox and BiKi.

360 Core Security found that the ATP-C-26 group (Lazarus) used “Worldbit-bot” to carry out active attacks on crypto exchanges. The crypto exchange DragonEx has fell victim to it on March 24, leading to a loss of $7.09 million USDT, according to its report.

The analysis of 360 Advanced Threat Response Team detailed that the attacking group registered two domains wb-invest.net and wb-bot.org last October in preparation for the attacks. Then they faked cryptocurrency trading software “Worldbit-bot” based on the open sourced “Qt Bitcoin Trader”, which was embedded with malicious code. The malicious software was then camouflaged into a regular automated crypto trading platform under the domain of wb-invest.net and wb-bot.org, which kept normal operation for a half year long.

Domain wb-invest.net and wb-bot.org registered in Oct 2018

Faked cryptocurrency trading software “Worldbit-bot” based on the open sourced “Qt Bitcoin Trader”

Worldbit-bot runs under the domain of wb-invest.net and wb-bot.org

The attackers have targeted a large number of internal staff at cryptocurrency exchanges for the software promotion. The final phishing attack took place in January and March 2019.

According to China-based JohnWick Security who assists crypto exchange DragonEx in investigating its hacking incident, the customer service staff at DragonEx once opened an installation package named wbbot.dmg from strangers. Analysis indicates a backdoor was embedded in the installation package, through which hackers acquired the internal staff’s authorization and then obtained the wallet private key.

Actually, the “Worldbit-bot” software is much the same with the faked crypto trading software “Celas Trade Pro” detected by the same team of 360 security last August. Users of Bitfinex, Bitstamp, Bitmarket, BTCChina, GOC.io, Indacoin, OKCoin, WEX and Y0bit have been susceptible to the threat at that time.

Collect process information and encrypt it:

Collect system information:

Execute malicious codes and decrypt it for file execution

Crypto exchanges are suggested to pay close attention to information such as abnormal exchange earnings, tampered addresses of cold and hot wallets, and keep alert when large sum transfer occurs and multiple accounts login for coin withdrawal.

Lazarus is known as an infamous hacking group backed by North Korea. According to research, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency businesses and individuals.

As previously reported, Lazarus is purportedly responsible for $571 million of the $882 million in cryptocurrency that was stolen from exchanges from 2017–2018, almost 65 percent of the total amount. Out of 14 exchange attacks, five were attributed to the group, including the industry record-breaking $532 million NEM hack of Japan’s Coincheck.