Sunday, February 9, 2025
HomeBrowserLazarus Group Exploits Trusted Apps for Data Theft via Dropbox

Lazarus Group Exploits Trusted Apps for Data Theft via Dropbox

Published on

SIEM as a Service

Follow Us on Google News

In an alarming development, North Korea’s infamous Lazarus Group has been linked to a global cyber espionage campaign, code-named Operation Phantom Circuit.

Beginning in September 2024, this operation exploited trusted software development tools to infiltrate systems worldwide, targeting cryptocurrency and technology developers.

The campaign’s advanced obfuscation techniques and infrastructure demonstrate a significant evolution in the group’s tactics.

According to STRIKE, a leading cybersecurity firm, the attackers embedded malware into legitimate software updates, enabling them to compromise over 1,500 systems across three waves of attacks between November 2024 and January 2025.

The malware allowed the group to exfiltrate sensitive data, including development credentials, authentication tokens, and browser-stored passwords.

The stolen data was systematically transferred to Dropbox for organization and further exploitation.

Advanced Command-and-Control Infrastructure

The Lazarus Group utilized a sophisticated command-and-control (C2) infrastructure to manage infected systems and exfiltrated data.

Lazarus Group
Data Exfiltration to Dropbox

Key servers were identified as central nodes for payload delivery and communication with compromised devices.

For instance:

  • 94.131.9.32: Active in January 2025, managing connections from 233 victims.
  • 185.153.182.241: Played a pivotal role in December 2024 campaigns.
  • 86.104.74.51: Spoofed domains like sageskills-uk[.]com during November 2024 attacks.

The infrastructure featured an administrative platform accessible via port 1245, built using React and Node.js frameworks.

This platform enabled attackers to monitor victim systems, organize stolen credentials, and maintain persistent access through Remote Desktop Protocol (RDP) sessions lasting up to 10 days.

Proxy Networks

To conceal their activities, the Lazarus Group routed traffic through a network of VPNs and proxies, including the Oculus Proxy service hosted in Hasan, Russia.

Traffic originating from North Korean IP addresses (e.g., 175.45.178.130) was relayed through proxies registered under Sky Freight Limited before reaching the C2 servers.

This multi-layered approach ensured anonymity while complicating detection efforts.

The attackers leveraged Astrill VPN endpoints to mask their origins further, connecting through IPs such as 70.39.70.196 and 204.188.233.68 before routing traffic via Russian proxies.

The attackers’ focus on cryptocurrency-related applications aligns with North Korea’s history of using cyberattacks to fund state programs.

Between 2017 and 2023, North Korea reportedly amassed $1.7 billion through cryptocurrency thefts.

STRIKE emphasizes the critical need for organizations to safeguard their software supply chains against such sophisticated threats:

  • Validate Software Updates: Use cryptographic checksums or signatures to ensure authenticity.
  • Monitor Network Traffic: Pay attention to unusual ports like 1224 and 1245.
  • Audit Development Tools: Regularly review tools for vulnerabilities.
  • Detect Proxy Usage: Block suspicious proxy networks linked to malicious campaigns.

This campaign underscores the growing risks posed by supply chain attacks and highlights the importance of proactive security measures in mitigating such threats globally.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...