Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
A
Anonymous 5 months ago
445 views
46 nodes
Lazarus Inside the Contagious Interview C2 Infrastructure scenario attack flow
: Fake job interviews conducted on Upwork to deliver malicious code repositories to cryptocurrency developers. : Victim executes malicious code via npm install command which triggers embedded malware. : Malicious JavaScript payloads executed via Function.constructor for RCE and cookie payload delivery. : Tsunami backdoor implemented in Python after 64 layers of deobfuscation. : 64 nested obfuscation layers using Base85, XOR, zlib compression and reversed base64. : Persistence via Windows Update Script.pyw placed in Startup folder. : Scheduled task named 'Runtime Broker' created to run at logon for persistence. : Browser data extraction including credentials from Chrome and Brave browsers. : Cookie exfiltration via getCookie() function that fetches from C2. : Windows Defender exclusions added via PowerShell to evade detection. : Data exfiltration over FTP using basic-ftp library to pyftpdlib servers. : 1000 encoded Pastebin profile URLs used as dead drop for C2 resolution. : XMRig cryptocurrency miner deployed disguised as msedge.exe for Monero mining. : Malware masquerades as Runtime Broker.exe and msedge.exe to blend with legitimate processes. : XOR encryption with multiple keys including G01d*8@( for file encryption. : RSA public key used for payload signing and secure communication. : Full-featured Python backdoor (175KB) with RAT capabilities and XMRig miner, delivered via /bro/ endpoint. : Browser data extraction module targeting Chrome credentials and session data. : Extended credential stealer targeting Brave browser and Exodus cryptocurrency wallets. : Browser extension hijacking module targeting MetaMask cryptocurrency wallet. : Remote access trojan with FTP exfiltration capabilities. : Cookie payload delivery mechanism that fetches and executes JavaScript from C2. : Cryptocurrency miner for Monero, deployed disguised as msedge.exe. : Legitimate IDE abused via tasks.json auto-execution when project folder is opened. : AI-powered code editor that also executes malicious tasks.json on folder open. : Node.js package manager abused to trigger malicious code execution via install scripts. : Node.js web framework running on C2 servers on port 1244. : Python FTP server library running on port 21 for data exfiltration. : Cloud database service hosting C2 backend and cover development projects (32 databases, 3.2GB). : Primary C2 server running Windows Server on AS396073 Majestic Hosting. : Secondary C2 server flagged by 14 VirusTotal vendors on AS396073. : Backup C2 server running Windows Server on AS396073. : Router infrastructure server on AS397423 TIER-NET, currently offline. : MetaMask Injector C2 server on AS397423. : Chrome Stealer C2 with custom binary protocol on ports 22411-22412. : Chrome Stealer C2 server on AS397423. : Stage 1 Vercel-hosted distribution server with /task/linux endpoint. : Stage 1 Vercel-hosted distribution server with /api/x endpoint. : Stage 1 Vercel-hosted distribution server with token-authenticated endpoint. : 1000 encoded Pastebin profile URLs used for dead drop C2 resolution. : Developers working on cryptocurrency and Web3 projects targeted via freelancing platforms. : Chrome and Brave browser credentials, cookies and session data targeted for theft. : MetaMask extension and Exodus wallet targeted for credential theft and hijacking. : CPU/GPU resources hijacked for Monero cryptocurrency mining. : Freelancing platform used as initial contact vector for fake job interviews. : North Korean state-sponsored threat actor behind Contagious Interview campaign
Lazarus Inside the Contagious Interview C2 Infrastructure scenario attack flow