They empty the accounts in one fell swoop!
Cybersecurity experts have uncovered attacks by advanced persistent threat (APT) center BlueNoroff against small and medium-sized companies around the world, which led to massive cryptocurrency losses.
The movement, called SnatchCrypto, targets cryptocurrencies, smart contracts, the DeFi, Blockchain and FinTech industry, as well as various companies interested in them.
In BlueNoroff’s latest move, attackers abuse the trust of target companies’ employees by sending them a full-featured Windows backdoor with surveillance functions under the guise of a “contract” or other business file, experts from cybersecurity organization Kaspersky said.
The attackers have developed extensive and dangerous resources consisting of complex infrastructure, exploits and malware implants to empty the victims’ crypto wallet.
BlueNoroff uses its various structures and advanced attack technologies as part of the Lazarus group. The Lazarus APT group is known for attacks on banks and servers connected to SWIFT, and is engaged in the formation of fake companies for the development of cryptocurrency software.
Deceived customers were then installed with seemingly legitimate applications and after a while, updates were delivered through the backdoor. Then began attacks on cryptocurrency startups. Since most cryptocurrency businesses are small or medium-sized startups, they are unable to invest much in internal security systems. The attacker exploits this vulnerability and exploits it using detailed social engineering schemes. ACTING LIKE A VENTURE CAPITAL COMPANY
BlueNoroff acts like an existing venture capital firm to earn the victim’s trust. Kaspersky researchers have uncovered more than 15 attempts to misuse brand name and employee names during the SnatchCrypto campaign. Kaspersky experts also believe that real companies have nothing to do with this attack or emails. Beginners often receive letters or files from unfamiliar sources. For example, a venture company sends them a contract or other business-related files. The APT player uses this as a bait to get victims to open the attached macro-enabled document.
If the document were to be opened offline, the file would not mean anything dangerous. It would most likely look like a copy of some kind of contract or other innocuous document. However, if the computer is connected to the internet when the file is opened, the malware is distributed by sending another macro-enabled document to the victim’s device. WORD AND WINDOWS HIDE SHORTCUT FILES
This APT group has various methods to infect systems and combines various chains of infection according to the situation. The attackers spread weaponized Word documents, as well as malware disguised as compressed Windows shortcut files. The victim’s general information is then sent to the Powershell agent, which creates a full-featured backdoor. Using it, BlueNoroff deploys a keylogger and screenshot receiver with other malicious tools to monitor the victim.
The attackers then track down the victims for weeks and months: they collect keystrokes and monitor the user’s daily transactions while planning strategies for financial theft. After finding an obvious target that uses a popular browser extension to manage crypto wallets (such as the Metamask extension), it replaces the main component of the extension with a fake version. EMPTIES ACCOUNTS WITH A SINGLE MOVE
According to the researchers, attackers receive a notification when they discover large transfers. When the compromised user tries to transfer some money to another account, they stop the process of trading and inject their own intermediaries. When the user clicks the “confirm” button to complete the initiated payment, cybercriminals change the recipient’s address and maximize the transaction amount. So it empties the account in a single move.
Seongsu Park, Senior Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), says:
“As attackers are constantly discovering new ways to deceive and exploit others, small businesses must educate their employees on basic cybersecurity practices. It is especially important that the company works with crypto wallets. There’s nothing wrong with using cryptocurrency services and extensions, but keep in mind that it’s an attractive target for both APT and cybercriminals. Therefore, this sector needs to be well protected.”