Security researchers have uncovered new evidence that North Korean threat actors, particularly the Lazarus Group, are actively using Astrill VPN to conceal their true IP addresses during cyberattacks and fraudulent IT worker schemes.
Silent Push, a cybersecurity firm, recently acquired infrastructure and logs from the Lazarus subgroup known as “Contagious Interview” or “Famous Chollima,” confirming the ongoing use of Astrill VPN in their operations.
The investigation revealed that the threat actors registered the domain “bybit-assessment[.]com” hours before the $1.4 billion ByBit cryptocurrency heist, using an email address previously linked to Lazarus Group activities.
Within the acquired logs, researchers identified 27 unique Astrill VPN IP addresses associated with test records created by Lazarus members during their infrastructure setup, further solidifying the group’s preference for this VPN service.
Sophisticated Obfuscation Techniques Uncovered
SecurityScorecard’s STRIKE team has mapped out the operational infrastructure used by the Lazarus Group, revealing a sophisticated network of Astrill VPN exit points and proxies designed to obscure traffic while managing command and control (C2) servers.
The team successfully traced connections through VPNs back to six distinct IP addresses in Pyongyang, North Korea.
The attackers employed a multi-layered obfuscation strategy, routing traffic from North Korean IP addresses through Astrill VPN endpoints, then through an intermediate proxy layer registered to a company in Russia, before finally reaching the C2 infrastructure hosted on servers attributed to Stark Industries.
According to Silent Push Report, this layered approach demonstrates the group’s advanced understanding of operational security and network management.
Ongoing Threat to Global Organizations
The use of Astrill VPN by North Korean IT workers posing as legitimate job candidates continues to pose a significant threat to organizations worldwide.
Google’s Mandiant reported in September 2024 that connections to remote management solutions used by these fake IT workers primarily originated from Astrill VPN IP addresses, likely from China or North Korea.
As the threat persists, cybersecurity firms are releasing updated lists of Astrill VPN IP addresses to help organizations enhance their security posture against this particular threat.
Spur.us, for instance, has made available a comprehensive list of approximately 2,400 IP addresses associated with Astrill VPN as of December 2024.
Organizations are advised to implement stringent background checks, including biometric verification, require on-camera interviews, and monitor for the use of AI-generated photos when hiring remote workers0978.
Additionally, security teams should remain vigilant for signs of remote access tools and connections originating from known VPN services, particularly those associated with high-risk regions.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
