Security news that informs and inspires

Lazarus Group Adds JavaScript Sniffer to Cryptocurrency-Stealing Arsenal


The Lazarus threat group utilized a modified JavaScript sniffer to steal cryptocurrency from unsuspecting e-commerce website consumers.

The Lazarus threat group infected several e-commerce shops with an undocumented, modified JavaScript sniffer that aimed to steal cryptocurrency from online consumers, researchers said in a new report.

The JavaScript sniffer, which researchers with Group-IB call BTC Changer, shows continuing increased sophistication around the Lazarus group’s cryptocurrency money-laundering efforts. The North Korean threat group (also known as Hidden Cobra and APT38), which has been active since 2009, has in recent years been honing in on the cryptocurrency vertical, as seen in a targeted August attack against a cryptocurrency firm, for instance.

“The campaign marks the first time that Lazarus used malicious JavaScript sniffers to steal cryptocurrency,” Viktor Okorokov, lead threat intelligence analyst at Group-IB, said. “It’s definitely something that deserves attention as the technique has all the potential to grow in scale and sophistication, given the gang’s continued hunt for cryptocurrency.”

The discovery of the campaign began when researchers with Sansec in July uncovered the Lazarus group using JavaScript sniffers to target U.S. and European online shops and steal shoppers' payment card data. Upon further investigation into this campaign, called the “clientToken=” campaign and dating back to May 2019, researchers with Group-IB identified another campaign involving the same infrastructure, which started in February 2020. This attack was different, as attackers modified the JavaScript sniffer to now target cryptocurrency rather than credit card payment information, they found.

“Lazarus started using a modified version of the malicious JavaScript script that was initially used during the clientToken= campaign all the while using the same infrastructure,” said researchers. “The new version had the same names of functions, but bank card harvesting was replaced with cryptocurrency skimming and they started targeting companies who accepted payments in BTC.”

Researchers observed the updated sniffer being utilized on three websites: European research chemical supplier Realchems, jewelry store Wongs Jewellers and an unnamed Italian luxury clothes online shop. Of note, researchers did not find any evidence that Wongs Jewellers accepts cryptocurrency payments, leading them to assume the attackers added the BTC Changer to the website by mistake. The malicious code has since been removed from all three infected websites, said Okorokov.

The initial attack vector for these compromises is difficult to establish without an incident response engagement for the campaign, said Okorokov. However, he said it’s fair to assume that the attackers likely utilized stolen credentials in the content management system administrative panel.

As part of the campaign, attackers added a fake web payment form, which opened in an iframe element on the compromised websites and asked that payments be made directly to cryptocurrency addresses owned by the attackers. When consumers made online purchases using the sites’ Bitcoin addresses, they would inadvertently send money to the attackers' Bitcoin payment address.

"The campaign marks the first time that Lazarus used malicious JavaScript sniffers to steal cryptocurrency."

Attackers used two main Bitcoin addresses to steal funds received via 43 transactions over the course of the BTC Changer campaign. Researchers found that attackers transferred 0.89993859 BTC at the time of withdrawing cryptocurrency from the extracted Bitcoin addresses. This is equivalent to $8,446 at the moment of the transaction and $52,611 as of April 9, 2021, as the value of Bitcoin has since skyrocketed.

“The amount of money stolen was relatively small due to the fact that Lazarus BTC Changer campaign only targeted three small e-commerce stores that remained infected for a limited period of time of less than three months,” said Okorokov. However, researchers believe that the campaign is a way for the group to test the tool on small e-commerce stores, before later switching to more prominent targets for bigger gains.

Researchers linked this campaign to the Lazarus group “with a high level of confidence,” due to the infrastructure previously being utilized by Lazarus, combined with the gang's track record of going after cryptocurrency.

“The source code of Lazarus BTC Changer is based on the source code of the JavaScript sniffer used during the ‘clientToken=’ campaign,” said Okorokov. “In addition, during the ‘clientToken=’ campaign the threat actor used the same infrastructure as they did for past attacks attributed to Lazarus. Finally, the fake payment page used by hackers in later samples of BTC Changer contained the text in Korean.”

JavaScript sniffers - also known as digital skimmers - have been a thorn in the side of e-commerce stores, with attackers injecting scripts into websites to steal data that’s entered into online payment forms. Threat groups under the Magecart umbrella have put web-based, digital card skimmers in the headlines over the past few years due to their high-profile breaches of companies like VisionDirect, Ticketmaster and others.

For attackers, “stealing cryptocurrency is a bit easier because in the case of traditional JavaScript sniffers cybercriminals need to figure out ways to make actual money from the stolen payment records,” said Okorokov. “They either sell them in the underground markets or purchase expensive goods using stolen payment data for reselling purposes.”

Researchers recommend that online stores block out such threats by installing all necessary updates for any software used (including the content management systems for websites), use complex and unique passwords to access website admin panels and regularly check the store for malware via security audits of the website.