Slow Mist Cosine: Confirmed Bybit attacker is North Korean Lazarus Group, revealed its attack method

According to BlockBeats, on February 23rd, Cosine, the founder of SlowMist, stated in a post, "Through forensic analysis and correlation tracing, we have confirmed that the attacker behind the Bybit theft incident is North Korea's Lazarus Group. This is a national level APT attack targeting cryptocurrency trading platforms Attackers use pyyaml for remote code execution (RCE) to distribute malicious code and gain control of target computers and servers. This method bypasses the majority of antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples are obtained. The attacker's main goal is to invade the infrastructure of cryptocurrency trading platforms, gain control of wallets, and illegally transfer large amounts of encrypted assets in wallets SlowMist published a summary article revealing the attack methods of Lazarus Group, and analyzed a series of tactics such as social engineering, vulnerability exploitation, privilege escalation, intranet penetration, and fund transfer. At the same time, based on actual cases, defense suggestions against APT attacks were summarized, hoping to provide reference for the industry, help more institutions improve their security protection capabilities, and reduce the impact of potential threats