Lazarus JS Files Uncovered: ByBit 5B Hack

By /

Listen to this Post

🚨 Found 2 more Non-Malicious JS Files from Lazarus linked to ByBit Hack Series

🎯 MD5: be9397a0b6f01d21e15c70c4b37487fe

Size: 3.57 MB

1️⃣ MD5: 9e96a53a50d4f046696e976e60332ac0

Size: 3.58 MB

2️⃣ MD5: 98303ede11d912877ca7c83e8db9b4a7

Size: 3.57 MB

📌 All 3 files appeared on the same day: 26th February 2025
📌 Both these files were uploaded from Taiwan 🇹🇼

📌 All 3 files are named as _app-52c9031bfa03da47.js

Practice Verified Codes and Commands

1. MD5 Hash Verification

To verify the MD5 hash of a file:

md5sum filename.js

2. File Size Check

To check the size of a file:

ls -lh filename.js

3. Analyzing JS Files

Use `node` to inspect JavaScript files:

node -c filename.js

4. Monitoring File Uploads

Use `inotify` to monitor file uploads in a directory: 

inotifywait -m /path/to/directory

5. Network Traffic Analysis

Use `tcpdump` to capture network traffic:

tcpdump -i eth0 -w capture.pcap

6. File Integrity Check

Use `sha256sum` for a more secure hash check:

sha256sum filename.js

7. Log Analysis

Use `grep` to search for specific patterns in logs: 

grep "upload" /var/log/syslog

8. File Metadata Extraction

Use `exiftool` to extract metadata from files:

exiftool filename.js

9. Process Monitoring

Use `ps` to monitor running processes:

ps aux | grep node

10. File Deletion

Securely delete files to prevent recovery:

shred -u filename.js

What Undercode Say

The Lazarus group’s involvement in the ByBit $1.5B hack highlights the increasing sophistication of cyberattacks targeting the cryptocurrency sector. The discovery of non-malicious JS files linked to the attack underscores the importance of thorough file analysis and monitoring. Here are some key takeaways and commands to enhance your cybersecurity posture:

  1. File Integrity Monitoring: Regularly verify file hashes using tools like `md5sum` and `sha256sum` to detect unauthorized changes.
  2. Network Traffic Analysis: Use `tcpdump` and `Wireshark` to monitor and analyze network traffic for suspicious activities.
  3. Log Management: Implement centralized log management using `syslog-ng` or `rsyslog` to aggregate and analyze logs from multiple sources.
  4. Process Monitoring: Use ps, top, and `htop` to monitor running processes and identify anomalies.
  5. File Metadata Analysis: Extract and analyze file metadata using `exiftool` to identify potential threats.
  6. Secure File Deletion: Use `shred` or `srm` to securely delete sensitive files and prevent recovery.
  7. JavaScript Analysis: Leverage tools like `node` and `eslint` to analyze and debug JavaScript files for malicious code.
  8. User Activity Monitoring: Use `auditd` to track user activities and detect unauthorized access.
  9. File Upload Monitoring: Implement `inotify` to monitor file uploads in real-time and respond to suspicious activities.
  10. Incident Response: Develop and practice an incident response plan using tools like `TheHive` and `Cortex` to quickly respond to cyber incidents.

For further reading on Lazarus Group activities and cybersecurity best practices, visit:
Lazarus Group Overview
Cryptocurrency Security Best Practices

Stay vigilant and proactive in defending against advanced persistent threats (APTs) like Lazarus. Regularly update your knowledge and tools to stay ahead of cyber adversaries.

References:

initially reported by: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_bybit-crypto-cryptocurrency-activity-7302219134912577537-SIcP – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image

Related Posts: