Slow Fog Cosine: Confirmed that the CEX theft incident was attacked by North Korean hacker Lazarus Group, their attack method has been revealed

The founder of SlowMist, Yu Cosine, posted on social media stating that through evidence analysis and associated tracking, we have confirmed that the attacker in the CEX theft incident is indeed the North Korean hacker organization Lazarus Group. This is a state-level APT attack targeting cryptocurrency trading platforms. We decided to share related IOCs (Indicators of Compromise), which include some cloud service providers and proxies whose IPs were exploited. It should be noted that this disclosure does not specify which platform or platforms are involved, nor does it mention CEX specifically; if there are similarities, it's not impossible.

The attackers used pyyaml for RCE (Remote Code Execution) to deliver malicious code and thus control target computers and servers. This method bypasses most antivirus software scans. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by invading the infrastructure of cryptocurrency trading platforms and then illegally transferring large amounts of encrypted assets from these wallets.

SlowMist published a summary article revealing Lazarus Group's attack methods and analyzed their use of tactics such as social engineering, vulnerability exploitation, privilege escalation, internal network penetration and fund transfer etc.. At the same time based on actual cases they summarized defensive suggestions against APT attacks hoping to provide references for industry helping more organizations enhance security protection capabilities reducing potential threat impacts.