Part of the Lazarus group developed complex infrastructure, exploits and malware implants. Threat Actor BlueNoroff Drains Cryptocurrency Startup Accounts. BlueNoroff uses comprehensive attack methodology.
Kaspersky security researchers have uncovered a series of attacks by Advanced Persistent Threat (APT) actor BlueNoroff on small and medium-sized businesses worldwide. The victims suffered large cryptocurrency losses in the process. Dubbed 'SnatchCrypto', the campaign targets various companies involved in cryptocurrencies as well as smart contracts, DeFi, blockchain and the FinTech industry.
In the latest campaign by threat actor BlueNoroff, attackers subtly exploited employees' trust in target companies by sending them a full-fledged Windows backdoor with monitoring capabilities under the guise of a "contract" or other business file. In order to empty a victim's crypto wallet, the actor has developed extensive and malicious resources - including complex infrastructure, exploits and malware implants.
BlueNoroff and Lazarus
BlueNoroff is part of the Lazarus Group and leverages its diversified structure and sophisticated attack technologies. This APT group is known for attacking banks and servers connected to SWIFT and even participated in the creation of front companies to develop cryptocurrency software [2]. The deceived customers then installed legitimate-looking apps and after a while they received updates including a backdoor.
This branch of the APT group has since moved to attack cryptocurrency startups. Since most cryptocurrency companies are small or medium-sized startups, they cannot invest a lot of money in their internal security system. Lazarus has recognized this and exploits this through sophisticated social engineering methods.
BlueNoroff pretends to be a venture capital firm
To gain the victim's trust, BlueNoroff pretends to be a venture capital firm. Kaspersky researchers discovered over 15 venture capital firms whose brand names and employee names were misused during the SnatchCrypto campaign. According to the security experts, real companies have nothing to do with this attack or the emails. The crypto sphere of startups was chosen by the cyber criminals for a specific reason: startups often receive letters or files from unknown sources. Because of this, it is quite possible that a venture company will send you a contract or other business-related files. The Lazarus APT actor uses this as a decoy to trick victims into opening the attachment in the email - a macro-enabled document.
If such a document is opened offline, these files do not pose a threat. However, if a computer is connected to the Internet at the time the file is opened, another macro-enabled document is downloaded to the victim's device and malware is installed.
BlueNoroff uses comprehensive attack methodology
The BlueNoroff APT group has various methods in their compromise arsenal and designs the infection chain accordingly depending on the situation. Besides malicious Word documents, the actor also distributes malware disguised as zipped Windows shortcut files. This sends back the victim's information and the Powershell agent, creating a backdoor. Through these, BlueNoroff uses other malicious tools to monitor the victim: a keylogger and a screenshot tool.
The attackers then track their victims for weeks and months. They collect keystrokes and monitor the user's daily operations while planning a strategy for financial theft. Once they find a prominent target that uses a popular browser extension to manage crypto wallets (such as the Metamask extensions), they replace its main component with a fake version.
Transaction process is intercepted and altered
According to Kaspersky experts, the attackers receive a notification as soon as a large transfer is detected. When the compromised user tries to transfer an amount to another account, they intercept the transaction process and insert their own logic. To complete the initiated payment, the user then clicks on the “Approve” button. At that moment, the cyber criminals change the recipient's address and maximize the transaction amount; the account is emptied in one fell swoop.
“As attackers continue to find new ways of digital compromise, even small businesses should train their employees in basic cybersecurity practices,” said Seongsu Park, senior security researcher in Kaspersky's Global Research and Analysis Team (GReAT). “Particularly when companies are using cryptocurrencies, it is important to note that they are an attractive target for APT actors and cybercriminals. Therefore, this area is particularly worthy of protection.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/