Researchers observed the updated sniffer being utilized on three websites: European research chemical supplier Realchems, jewelry store Wongs Jewellers and an unnamed Italian luxury clothes online shop. Of note, researchers did not find any evidence that Wongs Jewellers accepts cryptocurrency payments, leading them to assume the attackers added the BTC Changer to the website by mistake. The malicious code has since been removed from all three infected websites, said Okorokov.
The initial attack vector for these compromises is difficult to establish without an incident response engagement for the campaign, said Okorokov. However, he said it’s fair to assume that the attackers likely utilized stolen credentials in the content management system administrative panel.
As part of the campaign, attackers added a fake web payment form, which opened in an iframe element on the compromised websites and asked that payments be made directly to cryptocurrency addresses owned by the attackers. When consumers made online purchases using the sites’ Bitcoin addresses, they would inadvertently send money to the attackers' Bitcoin payment address.
Attackers used two main Bitcoin addresses to steal funds received via 43 transactions over the course of the BTC Changer campaign. Researchers found that attackers transferred 0.89993859 BTC at the time of withdrawing cryptocurrency from the extracted Bitcoin addresses. This is equivalent to $8,446 at the moment of the transaction and $52,611 as of April 9, 2021, as the value of Bitcoin has since skyrocketed.
“The amount of money stolen was relatively small due to the fact that Lazarus BTC Changer campaign only targeted three small e-commerce stores that remained infected for a limited period of time of less than three months,” said Okorokov. However, researchers believe that the campaign is a way for the group to test the tool on small e-commerce stores, before later switching to more prominent targets for bigger gains.
Researchers linked this campaign to the Lazarus group “with a high level of confidence,” due to the infrastructure previously being utilized by Lazarus, combined with the gang's track record of going after cryptocurrency.
Researchers recommend that online stores block out such threats by installing all necessary updates for any software used (including the content management systems for websites), use complex and unique passwords to access website admin panels and regularly check the store for malware via security audits of the website.