慢雾安全团队揭秘 Lazarus Group 入侵手法

链捕手Pubblicato 2025-02-24Pubblicato ultima volta 2025-02-24

原文标题:《加密货币 APT 情报:揭秘 Lazarus Group 入侵手法》

作者: 23pds & Thinking (慢雾安全团队)

编译:lenaxin,ChainCatcher

背景

自 2024 年 6 月以来,慢雾安全团队陆续收到多家团队的邀请,对多起黑客攻击事件展开取证调查。经过前期的积累以及对过去 30 天的深入分析调查,我们完成了对黑客攻击手法和入侵路径的复盘。结果表明,这是一场针对加密货币交易所的国家级 APT 攻击。通过取证分析与关联追踪,我们确认攻击者正是 Lazarus Group 。

在获取相关 IOC (入侵指标)和 TTP (战术、技术与程序)后,我们第一时间将该情报同步给合作伙伴。同时,我们还发现其他合作伙伴也遭遇了相同的攻击方式和入侵手法。不过,相较之下他们较为幸运 —— 黑客在入侵过程中触发了部分安全告警,在安全团队的及时响应下,攻击被成功阻断。

鉴于近期针对加密货币交易所的 APT 攻击持续发生,形势愈发严峻,我们在与相关方沟通后,决定对攻击的 IOC 和 TTP 进行脱敏处理并公开发布,以便社区伙伴能够及时防御和自查。同时,受保密协议限制,我们无法披露过多合作伙伴的具体信息。接下来,我们将重点分享攻击的 IOC 和 TTP 。

攻击者信息

攻击者域名:

  • gossipsnare [.] com , 51.38.145.49:443
  • showmanroast [.] com , 213.252.232.171:443
  • getstockprice [.] info , 131.226.2.120:443
  • eclairdomain [.] com , 37.120.247.180:443
  • replaydreary [.] com , 88.119.175.208:443
  • coreladao [.] com
  • cdn . clubinfo [.] io

涉及事件的 IP :

  • 193.233.171[.]58
  • 193.233.85[.]234
  • 208.95.112[.]1
  • 204.79.197[.]203
  • 23.195.153[.]175

攻击者的 GitHub 用户名:

  • https :// github . com / mariaauijj
  • https :// github . com / patriciauiokv
  • https :// github . com / lauraengmp

攻击者的社交账号:

  • Telegram : @ tanzimahmed88

后门程序名称:

  • StockInvestSimulator - main . zip
  • MonteCarloStockInvestSimulator - main . zip
  • 类似 … StockInvestSimulator - main . zip 等

真实的项目代码:

 ( https :// github . com / cristianleoo / montecarlo - portfolio - management )

攻击者更改后的虚假项目代码:

对比后会发现, data 目录多了一个 data _ fetcher . py 文件,其中包含一个奇怪的 Loader :


攻击者使用的后门技术

攻击者利用 pyyaml 进行 RCE (远程代码执行),实现恶意代码下发,从而控制目标电脑和服务器。这种方式绕过了绝大多数杀毒软件的查杀。在与合作伙伴同步情报后,我们又获取了多个类似的恶意样本。

关键技术分析参考: https :// github . com / yaml / py yaml / wiki / PyYAML - yaml . load ( input )- Deprecation # how - to - disable - the - warning

慢雾安全团队通过对样本的深入分析,成功复现了攻击者利用 pyyaml 进行 RCE (远程代码执行)的攻击手法。

攻击关键分析

目标和动机

目标:攻击者的主要目标是通过入侵加密货币交易所的基础设施,获取对钱包的控制权,进而非法转移钱包中的大量加密资产。

动机:试图窃取高价值的加密货币资产。

技术手段

1. 初始入侵

  • 攻击者利用社会工程学手段,诱骗员工在本地设备或 Docker 内执行看似正常的代码。
  • 在本次调查中,我们发现攻击者使用的恶意软件包括 ` StockInvestSimulator - main . zip ` 和 ` MonteCarlo StockInvestSimulator - main . zip `。这些文件伪装成合法的 Python 项目,但实则是远程控制木马,并且攻击者利用 pyyaml 进行 RCE ,作为恶意代码的下发和执行手段,绕过了大多数杀毒软件的检测。

2. 权限提升

  • 攻击者通过恶意软件成功获取员工设备的本地控制权限,并且诱骗员工将 docker - compose . yaml 中的 privileged 设置为 true 。
  • 攻击者利用 privileged 设置为 true 的条件进一步提升了权限,从而完全控制了目标设备。

3. 内部侦察和横向移动

  • 攻击者利用被入侵的员工电脑对内网进行扫描。
  • 随后,攻击者利用内网的服务和应用漏洞,进一步入侵企业内部服务器。
  • 攻击者窃取了关键服务器的 SSH 密钥,并利用服务器之间的白名单信任关系,实现横向移动至钱包服务器。

4. 加密资产转移

  • 攻击者成功获得钱包控制权后,将大量加密资产非法转移至其控制的钱包地址。

5. 隐藏痕迹

  • 攻击者利用合法的企业工具、应用服务和基础设施作为跳板,掩盖其非法活动的真实来源,并删除或破坏日志数据和样本数据。

过程

攻击者通过社会工程学手段诱骗目标,常见方式包括:

1. 伪装成项目方,寻找关键目标开发人员,请求帮助调试代码,并表示愿意提前支付报酬以获取信任。

我们追踪相关 IP 和 ua 信息后发现,这笔交易属于第三方代付,没有太多价值。

2. 攻击者伪装成自动化交易或投资人员,提供交易分析或量化代码,诱骗关键目标执行恶意程序。一旦恶意程序在设备上运行,它会建立持久化后门,并向攻击者提供远程访问权限。

  • 攻击者利用被入侵设备扫描内网,识别关键服务器,并利用企业应用的漏洞进一步渗透企业网络。所有攻击行为均通过被入侵设备的 VPN 流量进行,从而绕过大部分安全设备的检测。
  • 一旦成功获取相关应用服务器权限,攻击者便会窃取关键服务器的 SSH 密钥,利用这些服务器的权限进行横向移动,最终控制钱包服务器,将加密资产转移到外部地址。整个过程中,攻击者巧妙利用企业内部工具和基础设施,使攻击行为难以被快速察觉。
  • 攻击者会诱骗员工删除调试运行的程序,并且提供调试报酬,以掩盖攻击痕迹。

此外,由于部分受骗员工担心责任追究等问题,可能会主动删除相关信息,导致攻击发生后不会及时上报相关情况,使得排查和取证变得更加困难。

应对建议

APT (高级持续性威胁)攻击因其隐蔽性强、目标明确且长期潜伏的特点,防御难度极高。传统安全措施往往难以检测其复杂的入侵行为,因此需要结合多层次网络安全解决方案,如实时监控、异常流量分析、端点防护与集中日志管理等,才能尽早发现和感知攻击者的入侵痕迹,从而有效应对威胁。慢雾安全团队提出 8 大防御方向和建议,希望可以为社区伙伴提供防御部署的参考:

1. 网络代理安全配置

目标:在网络代理上配置安全策略,以实现基于零信任模型的安全决策和服务管理。 

解决方案:Fortinet (https://www.fortinet.com/), Akamai (https://www.akamai.com/glossary/where-to-start-with-zero-trust), Cloudflare (https://www.cloudflare.com/zero-trust/products/access/) 等。

2. DNS 流量安全防护

目标:在 DNS 层实施安全控制,检测并阻止解析已知恶意域名的请求,防止 DNS 欺骗或数据泄露。 

解决方案:Cisco Umbrella (https://umbrella.cisco.com/) 等。

3. 网络流量/主机监控与威胁检测

目标:分析网络请求的数据流,实时监测异常行为,识别潜在攻击(如 IDS/IPS),服务器安装 HIDS,以便尽早发现攻击者的漏洞利用等攻击行为。 

解决方案:SolarWinds Network Performance Monitor (https://www.solarwinds.com/), Palo Alto (https://www.paloaltonetworks.com/), Fortinet (https://www.fortinet.com/), 阿里云安全中心 (https://www.alibabacloud.com/zh/product/security_center), GlassWire (https://www.glasswire.com/) 等。

4. 网络分段与隔离

目标:将网络划分为较小的、相互隔离的区域,限制威胁传播范围,增强安全控制能力。 

解决方案:Cisco Identity Services Engine (https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html),云平台安全组策略等。

5. 系统加固措施

目标:实施安全强化策略(如配置管理、漏洞扫描和补丁更新),降低系统脆弱性,提升防御能力。 

解决方案:Tenable.com (https://www.tenable.com/), public.cyber.mil (https://public.cyber.mil) 等。

6. 端点可见性与威胁检测

目标:提供对终端设备活动的实时监控,识别潜在威胁,支持快速响应(如 EDR),设置应用程序白名单机制,发现异常程序并及时告警。

解决方案:CrowdStrike Falcon (https://www.crowdstrike.com/), Microsoft Defender for Endpoint (https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint), Jamf (https://www.jamf.com/) 或 WDAC (https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac) 等。

7. 集中日志管理与分析

目标:将来自不同系统的日志数据整合到统一平台,便于安全事件的追踪、分析和响应。

解决方案:Splunk Enterprise Security (https://www.splunk.com/), Graylog (https://graylog.org/), ELK (Elasticsearch, Logstash, Kibana) 等。

8. 培养团队安全意识

目标:提高组织成员安全意识,能够识别大部分社会工程学攻击,并在出事后主动上报异常,以便更及时进行排查。

解决方案:区块链黑暗森林自救手册 (https://darkhandbook.io/), Web3 钓鱼手法分析 (https://github.com/slowmist/Knowledge-Base/blob/master/security-research/Web3%20%E9%92%93%E9%B1%BC%E6%89%8B%E6%B3%95%E8%A7%A3%E6%9E%90.pdf) 等。

此外,我们建议周期性开展红蓝对抗的演练,以便识别出安全流程管理和安全防御部署上的薄弱点。

写在最后

攻击事件常常发生在周末及传统节假日期间,给事件响应和资源协调带来了不小的挑战。在这一过程中,慢雾安全团队的 23pds (山哥), Thinking , Reborn 等相关成员始终保持警觉,在假期期间轮班应急响应,持续推进调查分析。最终,我们成功还原了攻击者的手法和入侵路径。

回顾本次调查,我们不仅揭示了 Lazarus Group 的攻击方式,还分析了其利用社会工程学、漏洞利用、权限提升、内网渗透及资金转移等一系列战术。同时,我们基于实际案例总结了针对 APT 攻击的防御建议,希望能为行业提供参考,帮助更多机构提升安全防护能力,减少潜在威胁的影响。网络安全对抗是一场持久战,我们也将持续关注类似攻击,助力社区共同抵御威胁。

Crypto di tendenza

Letture associate

MSTR Discloses Sale of 3,588 Bitcoins, Stock Price Drops Over 5% at One Point During Trading

MicroStrategy, the world's largest corporate holder of Bitcoin, has significantly shifted its business model. Between June 29 and July 5, the company sold 3,588 bitcoins for approximately $216 million to fund quarterly dividends for its preferred stock. This marks its largest-ever Bitcoin sale and signals a strategic pivot: Bitcoin is transitioning from a "buy-and-hold" reserve asset to a liquidity management tool for the company. This move follows a recent authorization allowing Bitcoin sales when equity fundraising is less attractive. The announcement contributed to a more than 5% intraday drop in MicroStrategy's stock price, while Bitcoin fell to around $61,800—below the company's average holding cost of roughly $75,700. The sale represents a major departure from MicroStrategy's long-standing "never sell" commitment, which saw its first minor breach in May with a $2.5 million sale. The latest, hundred-times-larger transaction underscores growing financial pressures. Analysts note the company faces about $1.5 billion in annual preferred dividend obligations, far exceeding cash flow from its software business. As of July 5, MicroStrategy holds 843,775 bitcoins. Its current operational logic involves buying Bitcoin during favorable financing conditions and selling portions to cover dividends when needed, creating a flexible capital management cycle amidst a challenging market environment.

华尔街日报3 h fa

MSTR Discloses Sale of 3,588 Bitcoins, Stock Price Drops Over 5% at One Point During Trading

华尔街日报3 h fa

Q-Day Countdown: Will Quantum Computing End Cryptocurrencies?

Quantum Computing's Threat to Cryptocurrency: A Countdown to Q-Day Quantum computing, specifically Shor's algorithm, poses a fundamental threat to the public-key cryptography (e.g., ECDSA, RSA) that secures blockchain networks like Bitcoin and Ethereum. This critical juncture, known as Q-Day, is estimated to occur potentially within the next 5-15 years. The core vulnerability stems from the public and immutable nature of blockchains. Assets in addresses where the public key is already exposed on-chain (e.g., spent outputs) are at direct risk, as a sufficiently powerful quantum computer could derive the private key. This threatens the very trust model of cryptocurrencies. The response lies in Post-Quantum Cryptography (PQC)—algorithms like lattice-based ML-DSA and hash-based SLH-DSA, which are resistant to quantum attacks. NIST has standardized key PQC algorithms (FIPS 203, 204, 205), providing a migration path. However, the primary challenge is not technical but socio-economic and involves complex governance: * **Bitcoin's** path is constrained by its conservative ethos. Migrating requires a soft-fork to new address types, facing hurdles like significantly larger signature sizes and, most critically, the divisive governance question of how to handle at-risk legacy UTXOs without violating core principles. * **Ethereum** is pursuing a "cryptographic agility" strategy, with a multi-layered roadmap. It leverages account abstraction for user accounts and is developing compressed hash-based signatures (e.g., leanXMSS) for its consensus layer, aiming for a full-stack upgrade over time. In conclusion, quantum computing does not spell an instant end for cryptocurrency but initiates a critical countdown. The industry has a limited "engineering comfort window" to orchestrate a coordinated, ecosystem-wide migration to PQC. The ultimate bottlenecks are the immense coordination efforts and governance decisions required for this foundational transition.

marsbit4 h fa

Q-Day Countdown: Will Quantum Computing End Cryptocurrencies?

marsbit4 h fa

Trump, the President Who Knows Best How to 'Trade Stocks'

Former US President Donald Trump reported a record-breaking $2.2 billion in personal income for 2025, the highest annual income ever disclosed by a sitting president. This figure, from a 927-page government ethics filing, represented a 3.5-fold increase from his $600 million income in 2024 and boosted his net worth to $6.5 billion. The primary drivers were cryptocurrency (64% of income, approximately $1.4 billion) and real estate (26%, approximately $575 million). His crypto earnings stemmed largely from the launch of his personal meme coin, $TRUMP, generating over $600 million in licensing fees, and substantial profits from the WLFI token and its parent company. Despite a sluggish property market, his Mar-a-Lago resort and associated golf clubs saw revenue surges of 50% and 27%, respectively, attributed to their use as venues for presidential events. Trump's financial disclosure also revealed an unprecedented level of stock market activity, with over 22,000 trades executed in 2025, averaging 87 trades per market day. Media analyses noted several instances where significant trading coincided with major policy announcements, such as proposed tariffs, raising questions about potential conflicts of interest. While the White House stated these trades were handled by a family-managed trust fund and not Trump directly, critics highlighted this as a departure from the blind trusts traditionally used by presidents post-Watergate. The report has intensified debate over the commercialization of the presidency. Supporters view it as a success story of a businessman-president, while critics argue it demonstrates an unprecedented conversion of public influence into private wealth, with policy decisions potentially linked to personal financial gains. The controversy centers on whether Trump's earnings represent innovative entrepreneurship or a fundamental conflict of interest, sparking renewed calls for stricter ethics reforms in US governance.

marsbit4 h fa

Trump, the President Who Knows Best How to 'Trade Stocks'

marsbit4 h fa

Countdown to Q-Day: Will Quantum Computing End Cryptocurrencies?

The article explores the existential threat quantum computing poses to cryptocurrencies and the urgent need for "post-quantum" migration. It outlines that quantum computers, through Shor's algorithm, could break the elliptic-curve cryptography (ECC) underlying blockchain security, potentially allowing private keys to be derived from public keys. The core challenge is not a lack of post-quantum cryptography (PQC) standards—like NIST's ML-KEM and ML-DSA—but the immense complexity of upgrading entire ecosystems before "Q-Day" (when quantum computers become capable of such attacks, estimated around 2035-2045). Key points include: * **Bitcoin's** risk is concentrated in legacy UTXOs with exposed public keys (e.g., early P2PK outputs). Migration faces massive hurdles: PQC signatures are much larger, increasing transaction size and cost, and the governance dilemma of handling un-migrated assets threatens its "code is law" ethos. * **Ethereum's** strategy focuses on "cryptographic agility," using Account Abstraction for user accounts and developing compressed hash-based signatures (like leanXMSS with SNARK aggregation) for consensus. Its migration is a complex, full-stack overhaul of execution, consensus, and data layers. * The "security debt" is enormous. The comfortable engineering window for a coordinated, ecosystem-wide upgrade is only 5-8 years. High-value infrastructure (exchanges, bridges) may face pressure before mainnet protocols. In conclusion, quantum computing is not an instant "doomsday" event but a forcing function for systemic change. Bitcoin's ultimate test is social consensus and property rights governance, while Ethereum's is technical complexity. Failure to migrate in time could lead to a fundamental re-pricing of crypto assets.

链捕手4 h fa

Countdown to Q-Day: Will Quantum Computing End Cryptocurrencies?

链捕手4 h fa

Trading

Spot

Articoli Popolari

Come comprare APT

Benvenuto in HTX.com! Abbiamo reso l'acquisto di Aptos (APT) semplice e conveniente. Segui la nostra guida passo passo per intraprendere il tuo viaggio nel mondo delle criptovalute.Step 1: Crea il tuo Account HTXUsa la tua email o numero di telefono per registrarti il tuo account gratuito su HTX. Vivi un'esperienza facile e sblocca tutte le funzionalità,Crea il mio accountStep 2: Vai in Acquista crypto e seleziona il tuo metodo di pagamentoCarta di credito/debito: utilizza la tua Visa o Mastercard per acquistare immediatamente AptosAPT.Bilancio: Usa i fondi dal bilancio del tuo account HTX per fare trading senza problemi.Terze parti: abbiamo aggiunto metodi di pagamento molto utilizzati come Google Pay e Apple Pay per maggiore comodità.P2P: Fai trading direttamente con altri utenti HTX.Over-the-Counter (OTC): Offriamo servizi su misura e tassi di cambio competitivi per i trader.Step 3: Conserva Aptos (APT)Dopo aver acquistato Aptos (APT), conserva nel tuo account HTX. In alternativa, puoi inviare tramite trasferimento blockchain o scambiare per altre criptovalute.Step 4: Scambia Aptos (APT)Scambia facilmente Aptos (APT) nel mercato spot di HTX. Accedi al tuo account, seleziona la tua coppia di trading, esegui le tue operazioni e monitora in tempo reale. Offriamo un'esperienza user-friendly sia per chi ha appena iniziato che per i trader più esperti.

131 Totale visualizzazioniPubblicato il 2024.12.11Aggiornato il 2026.06.02

Come comprare APT

Discussioni

Benvenuto nella Community HTX. Qui puoi rimanere informato sugli ultimi sviluppi della piattaforma e accedere ad approfondimenti esperti sul mercato. Le opinioni degli utenti sul prezzo di APT APT sono presentate come di seguito.

活动图片