The Lazarus Group from North Korea continues to use Astrill VPN to obscure their IP addresses during cyber attacks. Recent findings confirm that both the “Contagious Interview” subgroup and DPRK Fake IT workers employ this VPN to hide their activities. Silent Push has compiled a real-time updated list of Astrill VPN IP addresses to help protect users from these threats. Affected: North Korean threat actors, Lazarus Group, cybersecurity sector
Keypoints :
- Multiple North Korean threat actors from the Lazarus Group are utilizing Astrill VPN to conceal their IP addresses during attacks.
- The “Contagious Interview” subgroup confirmed the use of Astrill VPN through acquired infrastructure and logs.
- Silent Push analysts corroborate previously published details by Mandiant regarding DPRK Fake IT worker threats using Astrill VPN.
- Astrill VPN is favored by various subgroups of the Lazarus Group for location obfuscation during cyber operations.
- Silent Push provides a “Bulk Data Feed” of mapped Astrill VPN IPs for its customers to enhance security.
- A domain registered shortly before the ByBit heist was linked to Astrill VPN IPs used in the attack.
- Silent Push continues tracking Astrill VPN usage and reports findings to the security community.
- Enterprise subscriptions can access Indicators of Future Attacks (IOFA) Feeds related to North Korean APT groups.
MITRE Techniques :
- T1071: Application Layer Protocol – The Lazarus Group uses Astrill VPN to control communication through application layer protocols.
- T1040: Network Sniffing – The use of Astrill VPN implicitly involves techniques to hide and analyze network traffic for malicious purposes.
Indicator of Compromise :
- [Domain] bybit-assessment[.]com
- [IP Address] 104.223.97[.]2
- [IP Address] 91.239.130[.]102
- [URL] astrill[.]com
- [IP Address] 103.130.145.210
Full Story: https://www.silentpush.com/blog/astrill-vpn/