1. Home
  2. Resources
  3. Blog
  4. Unmasking a Malware propagation Campaign by the APT Wagemole and lazarus

Unmasking a Malware propagation Campaign by the APT Wagemole and lazarus

The case behind “c’est la vie wellness retreat” and the cryptoEver project

A stylized image of a computer screen with obfuscated code lines or a digital magnifying glass examining code

In collaboration with Defants and SSRD.IO, an extensive investigation was conducted to analyze a sophisticated scam operation involving the entities “C’est La Vie Wellness Retreat” and “CryptoEver.” This scam has been attributed (based on IoC evidence) to the Wagemole virus propagation campaign carried out by the advanced cyber-espionage group Lazarus, known for its advanced cyber-espionage and financial theft operations. Both Wagemole and Lazarus are North Korean Advanced Persistent Threat (APT) groups. The IoC (Indicators of Compromise) evidence collected during the investigation has clearly been tagged as belonging to these two entities.

Understanding the Threat: A Brief Overview 

This campaign relied on social engineering. Attackers pretended to be employees from the “C’est La Vie Wellness Retreat”, gaining trust with potential victims through LinkedIn job offers in the cryptocurrency field. Once trust was established, the attackers gave access to a private GitHub repository that had malicious code. Similar tactics have been reported in many malicious projects. All these operations aimed to install malware on victims’ systems, stealing personal and sensitive data in the process.

Key Findings

  • Identification of a sophisticated scam operation involving “C’est La Vie Wellness Retreat” and “CryptoEver,” attributed to the Wagemole virus propagation campaign carried out by both Wagemole and Lazarus, which are North Korean Advanced Persistent Threat (APT) groups.
  • Detection of multiple fake job offers on LinkedIn, where victims were approached by scammers pretending to be employees of “C’est La Vie Wellness Retreat,” leading to malware-infected Proof of Concept (POC) projects on private GitHub repositories.
  • Evidence of extensive use of social engineering tactics, including legitimate-looking documentation and credentials provided to victims.
  • Discovery that all communicated posts and job offers were generated using ChatGPT, enhancing credibility and outreach.
  • Findings indicate the scam’s first association with cestlaviewellnessretreat.com appeared on GitHub in August 2024, with subsequent updates and new information consistently emerging.
  • Analysis of multiple obfuscated Node.js payloads targeting browser extensions for user credentials and cryptocurrency data, with exfiltration mechanisms involving FTP and HTTP POST requests.
  • Multiple IP addresses associated with the scam were found to be active, hosting various services like FTP, HTTP, RDP, and MySQL, including those linked to payloads such as .npl, brow, and any.
  • Identification of techniques used to obfuscate malicious code, including string concatenation, Base64 encoding, XOR decryption, and dynamic execution, making static analysis challenging.
  • Observation of the extensively detailed functionalities of payloads, such as password and data decryption across multiple platforms (Windows, Linux, macOS), keylogging, file and directory uploads to FTP servers, and interaction with AnyDesk software.
  • Continuous monitoring revealed updated payload variants appearing online, indicating an ongoing and evolving threat.

Breakdown of the Malware Analysis

.npl Payload (Known as BeaverTail malware) 

Purpose: This script initiates the malware’s core functions, including gathering files and sending them to a remote server.

Techniques: This payload uses OS-specific methods to hide its processes, executing stealthily across Windows, macOS, and Linux environments.

brow Payload (Known as a part of the invisible ferret malware)  

Purpose: This payload extracts sensitive login and credit card information from various browsers, including Chrome, Firefox, and Edge.

Techniques: Employing tailored decryption methods, this payload decodes and retrieves browser-stored encrypted data.

pay Payload (know as CivetQ malware) 

Purpose: This Command & Control (C2) system gathers system and geolocation data, runs a keylogger on Windows systems, and facilitates remote access.

Techniques: The payload monitors user activity and periodically sends the data back to a server, adapting its behavior based on the operating system.

any Payload  (Known as a part of the BeaverTail malware)

Purpose: This payload manipulates AnyDesk configurations to maintain remote control over the victim’s system, sending the updated configuration back to the attackers.

Techniques: The script alters AnyDesk settings on Windows and macOS to allow for ongoing remote access while hiding its presence.

Malware Techniques: How It Stays Undetected

The malware leverages advanced techniques to evade detection:

  • Code Obfuscation: Commands and scripts are hidden using Base64 encoding and non-descriptive variable names.
  • Dynamic Execution: The malware’s true function is only revealed during runtime, which helps it evade static code analysis.
  • Continuous Data Exfiltration: Data is periodically sent to the C2 server, ensuring regular data leaks from compromised systems.

Protecting Yourself 

To stay protected, consider these measures:

Verify Recruiters and Companies

Always confirm the legitimacy of recruiters and companies before engaging. Be cautious with unsolicited job offers or requests to download files, especially executable ones.

Use Up-to-Date Security Software

Ensure your antivirus and anti-malware software is current and regularly scan your systems to detect and remove threats.

Exercise Caution with Emails and Attachments

Be extremely cautious with links and attachments in unsolicited emails or messages. Verify the sender’s authenticity before interacting with any content.

Security Training

Implement Advanced Security Solutions

  • Threat Intelligence:Use tools like Group-IB’s Threat Intelligence for advanced insights into emerging threats, enabling early risk identification and proactive defense.
  • Digital Risk Protection:Implement a DRP solution to detect and address brand impersonation, mitigating risks posed by unauthorized entities exploiting your brand’s identity.

Regular Employee Training

Conduct regular cybersecurity training to help employees recognize phishing and social engineering tactics, and understand the importance of not sharing sensitive information.

Access the Full Report

For those interested in a deeper look at this investigation, our full report provides more technical details, decoded payloads, malware source code, and detailed IoCs to help improve your defenses.

The full report here

About the Author

Alexandre Wagner
Threat Analyst at Defants

Passionate about computer security for many years, Alexandre earned his master’s degree from Epitech with a Title of Expert in Software Engineering. After several experiences as a full-stack developer and low-level software developer, he pursued his professional career by following his passion for computer security. After gaining experience as a security engineer and pentester, Alexandre is now part of our Threat Analyst and Threat Intelligence team.

You can connect with him on LinkedIn.