The cryptocurrency accounts of some SMEs were emptied during computer attacks, and the losses were major. Kaspersky experts have discovered a series of Advanced Persistent Threats (APT) attacks, initiated by BlueNoroff, against small and medium-sized companies around the world, which have led to major cryptocurrency losses for victims. The campaign, called SnatchCrypto, is aimed at various companies that, by the nature of their work, deal with cryptocurrencies and smart contracts, DeFi, Blockchain and the FinTech industry. In the latest BlueNoroff campaign, the attackers subtly abused the trust of employees working for the target companies by sending them a backdoor virus on Windows with surveillance functions, under the guise of a “contract” or other business document. In order to eventually empty the victim’s crypto wallet, the attacker developed extensive and dangerous resources: complex infrastructure, exploits, malware implants.
BlueNoroff is part of the Lazarus organization and uses its diverse structure and sophisticated attack technologies. The Lazarus APT Group is known for its attacks on banks and servers connected to SWIFT and has even engaged in the creation of counterfeit companies for the development of cryptocurrency software. The deceived customers later installed legitimate-looking applications and, after a while, received backdoor updates.
Now, this “branch” of the Lazarus group has begun to attack cryptocurrency start-ups. Because most cryptocurrency businesses are small or medium-sized start-ups, they can’t invest much money in their internal security system. Attackers understand this point and take advantage of it, using elaborate social engineering schemes. In order to gain the trust of the victim, BlueNoroff claims to be a venture capital investment company. Kaspersky researchers have discovered more than 15 companies whose brand and employee names were abused during the SnatchCrypto campaign. Kaspersky experts also believe that all the real companies used have nothing to do with this attack or the e-mails sent. The field of cryptocurrency start-ups has been chosen by cybercriminals for one simple reason: such companies frequently receive messages or files from unknown sources.
If the document were opened offline, there would be no danger – most likely, it would look like a copy of some kind of contract or other harmless document. But if the computer is connected to the Internet when the file is opened, another macro-enabled document is downloaded to the victim’s device, implementing malware. This APT group has different methods in its arsenal of infection and assembles the chain of infection depending on the situation. In addition to dangerous Word documents, the actor also spreads malware disguised as archived Windows shortcuts files. Send the victim’s general information to the Powershell agent, who then creates a full-featured backdoor. Using this, BlueNoroff implements other malicious tools to monitor the victim: a keylogger and a screenshot.
The attackers then track the victims for weeks, or months: collect information about the keys pressed by the user and monitor their daily operations, while planning a strategy for financial theft. When they find an important target that uses a popular browser extension to manage crypto wallets (for example, the Metamask extension), they replace the main component of the extension with a fake version. According to investigators, the attackers receive a notification when they discover large transfers. When the compromised user tries to transfer some funds to another account, he intercepts the transaction process and injects his own logic. To complete the initiated payment, the user clicks on the “approve” button. At this point, cybercriminals change the address of the recipient and maximize the amount of the transaction, ie empty the account in one go.