Kaspersky uncovers APT actor BlueNoroff targets cryptocurrency startups

Global cybersecurity solutions company Kaspersky discovered that advanced persistent threat (APT) actor BlueNoroff has been wiping out cryptocurrencies in a campaign now known as SnatchCrypto. The attacks are aimed at small companies that deal with cryptocurrencies and smart contracts, Decentralized Finance (DeFi), Blockchain, and the FinTech industry.

Based on Kaspersky’s research, BlueNoroff, considered as the financial arm of the larger and well-known Lazarus group, sends full-featured Windows backdoor with surveillance functions under the guise of a “contract” or another business file to unsuspecting employees of the small businesses. The APT actor built a complex infrastructure that would allow it to launch exploits and execute malware implants.

“As attackers continuously come up with a lot of new ways to trick and abuse, even small businesses should educate their employees on basic cybersecurity practices,” said Seongsu Park, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “It is especially essential if the company works with crypto wallets: there is nothing wrong with using cryptocurrency services and extensions, but note that it is also an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”

Crypto and NFT attacks to shape SEA cyberthreat landscape in 2022 — Kaspersky
Kaspersky reveals FinFisher spyware effectively evades detection

True to its “niche” attacks on the financial sector, this Lazarus branch aims its attacks on cryptocurrency startups. Kaspersky said most startups, being small businesses, don’t have a strong cybersecurity defense as their resources are earmarked in building their companies. With full knowledge of this weakness, BlueNoroff resorted to “elaborate social engineering tactics.”

BlueNoroff has infected a bank in Myanmar during the third quarter of 2019. (More about BlueNoroff here.)

Venture capital firms

And how else to pique the interest of a startup but to pretend as a big venture capital company? Kaspersky researchers uncovered over 15 venture businesses, whose brand names and employee names were abused during the SnatchCrypto campaign. Kaspersky experts also believe that real companies have nothing to do with this attack or the emails. The start-up crypto sphere was chosen by cybercriminals for a reason: startups often receive letters or files from unfamiliar sources. For example, a venture company may send them a contract or other business-related files. The APT-actor uses this as bait to make victims open the attachment in an email — a macro-enabled document.

This APT group has various methods in their infection arsenal and assembles the infection chain depending on the situation. Besides weaponized Word documents, the actor also spreads malware disguised as zipped Windows shortcut files. It sends the victim’s general information and Powershell agent, which then creates a full-featured backdoor. Using this, BlueNoroff deploys other malicious tools to monitor the victim: a keylogger and screenshot taker.

According to the researchers, the attackers receive a notification upon discovering large transfers. When the compromised user attempts to transfer some funds to another account, they intercept the transaction process and inject their own logic. To complete the initiated payment, the user then clicks the “approve” button. At this moment, cybercriminals are changing the recipient’s address and maximizing the transaction amount, essentially draining the account in one move.

For organizations’ protection, Kaspersky suggests the following:

  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • The injection of the extension is hard to find manually unless you are very familiar with the Metamask codebase. However, a modification of the Chrome extension leaves a trace. The browser has to be switched to Developer Mode and the Metamask extension is installed from a local directory instead of the online store. If the plugin comes from the store, Chrome enforces digital signature validation for the code and guarantees code integrity. So, if you are in doubt, check your Metamask extension and Chrome settings right now.
  • Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation, and timely remediation of incidents capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.
  • Along with proper endpoint protection, dedicated services can help against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages before the attackers achieve their goals.