With the introduction of crypto currency into our lives, attacks and thefts also began. Studies also reveal how the attackers act.
The issue of protecting accounts in the crypto money market has come to the fore. Kaspersky experts researching this topic have uncovered attacks by BlueNoroff, the center of advanced persistent threat (APT), which led to massive cryptocurrency losses against small and medium-sized companies around the world.
According to Kaspersky’s statement, the movement, called SnatchCrypto, targets cryptocurrencies, smart contracts, the DeFi, Blockchain and FinTech industry, as well as various companies interested in them.
In BlueNoroff’s latest move, attackers abuse the trust of target companies’ employees by sending them a full-featured Windows backdoor with surveillance functions under the guise of a “contract” or other business file.
ATTACKERS TARGET CRYPTOCURRENCY WALLETS
The attackers have developed extensive and dangerous resources consisting of complex infrastructure, exploits and malware implants to empty the victims’ crypto wallet.
BlueNoroff uses its various structures and advanced attack technologies as part of the Lazarus group. The Lazarus APT group is known for attacks on banks and servers connected to SWIFT, and is engaged in the formation of fake companies for the development of cryptocurrency software.
DEFENSE OF SMALL CRYPTO-CURRENCY ENTERPRISES IS NOT ENOUGH
Deceived customers were then installed with seemingly legitimate applications and after a while, updates were delivered through the backdoor. Then began attacks on cryptocurrency startups. Since most cryptocurrency businesses are small or medium-sized startups, they cannot invest much in internal security systems. The attacker exploits this vulnerability and takes advantage of it using detailed social engineering schemes.
BlueNoroff acts like an existing venture capital firm to earn the victim’s trust. Kaspersky researchers have uncovered more than 15 attempts to misuse brand name and employee names during the SnatchCrypto campaign.
THE FORM OF THE ATTACKS HAS BEEN DETERMINED
The APT group has various methods to infect systems and combines various chains of infection according to the situation. The attackers spread weaponized Word documents, as well as malware disguised as compressed Windows shortcut files. The victim’s general information is then sent to the Powershell agent, which creates a full-featured backdoor. Using it, BlueNoroff deploys a keylogger and screenshot receiver, which are other malicious tools to monitor the victim.
The attackers then pursue the victims for weeks and months. When planning a strategy for financial theft, it collects keystrokes and monitors the user’s daily transactions. After finding an obvious target that uses a popular browser extension to manage crypto wallets (such as the Metamask extension), it replaces the main component of the extension with a fake version.
According to the researchers, attackers receive a notification when they discover large transfers. When the compromised user tries to transfer some money to another account, they stop the transaction process and inject their own intermediaries.
When the user clicks the “confirm” button to complete the initiated payment, cybercriminals change the recipient’s address and maximize the transaction amount. So it empties the account in a single move.
“CRYPTO CURRENCY SERVICES NEED TO BE WELL PROTECTED”
Seongsu Park, Senior Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said that while attackers are constantly discovering new ways to deceive and exploit others, small businesses need to educate their employees on basic cybersecurity practices, adding, “It is especially important that the company works with crypto wallets. There’s nothing wrong with using cryptocurrency services and extensions, but keep in mind that it’s an attractive target for both APT and cybercriminals. Therefore, this sector needs to be well protected,” he said.
