The North Korea-based threat actor Lazarus had targeted e-commerce shops in 2019 and 2020 to steal payment card information. In those attacks, the attackers were experimenting not just with stealing payment card information but stealing cryptocurrency, as well.
Group-IB reviewed an attack campaign discovered by Sansec last year and discovered that besides using Magecart-style attacks, the Lazarus APT group used additional tricks to mine cryptocurrency from targeted machines.
- While analyzing the campaign, three compromised websites were discovered, two of which (Realchems and Wongs Jewellers) were listed in Sansec's report as victims.
- In the case of Wongs Jewellers, a sample of Lazarus BTC Changer was spotted on its website. In the case of the third victim, an Italian luxury clothes shop, no malicious code was found on the website at the time of analysis.
Routing stolen funds
For the above attacks, the stolen funds were routed to bitcoin cryptocurrency wallets, believed to be owned by CoinPayments.net, a payment gateway that is used to conduct transactions involving Bitcoin, Ethereum, and other cryptocurrencies.
- Lazarus may have used this payment gateway to launder its stolen funds by routing them to other cryptocurrency wallets or exchanges.
- The attackers had stolen a small amount of cryptocurrency via the targeted sites' customers, including Ethereum worth $9,000 and bitcoins worth $8,400.
Usually, cryptocurrency payments are not as popular as traditional credit cards in the e-commerce industry. However, several big brands and online services, including Tesla, now do accept cryptocurrencies for transactions. Under these circumstances, such attacks are expected to grow in scale, and therefore, other cybercriminal groups may adopt this new technique.