SnatchCrypto campaign crashes backdoors in crypto startups, DeFi, blockchain networks

By January 14, 2022DeFi
Click here to view original web page at
SnatchCrypto campaign crashes backdoors in crypto startups, DeFi, blockchain networks

A new campaign focused on emptying cryptocurrency wallets from organizations in the financial and crypto spaces has been revealed by researchers.

Dubbed SnatchCrypto, Kaspersky researchers said on Thursday that the campaign was the work of BlueNoroff, an Advanced Persistent Threats (APT) group believed to be connected to the larger Lazarus APT.

Lazarus is a North Korean hacking unit linked to cyber attacks on banks and financial services. The APT specializes in SWIFT-based intrusions in countries such as Vietnam, Bangladesh and Taiwan. Along with Cobalt and FIN7, Blueliv recently called the group one of the biggest threats facing FinTech companies today.

“The group [BlueNoroff] seems to function more as a unit within a larger formation of Lazarus attackers, with the flexibility to exploit its vast resources: be it malware implants, exploits or infrastructure “, explain the researchers.

According to Kaspersky, BlueNoroff has carried out a series of attacks against small and medium-sized businesses related to cryptocurrency, virtual assets, blockchain, smart contracts, decentralized finance (DeFI) and FinTech in general.

BlueNoroff is focused on building – and abusing – trust to infiltrate corporate networks. From corporate communication and chats to broader social engineering techniques, the APT spends a lot of time and effort learning about its victims.

In November 2021, Kaspersky said the group had “hunted down and investigated” cryptocurrency startups. BlueNoroff aims to create “maps” of current topics of interest to the target organization, then uses that information as a springboard to launch social engineering attacks that appear legitimate and trustworthy.

“BlueNoroff compromises businesses by accurately identifying the people needed and the topics they are discussing at any given time,” the researchers note. “A document sent from one colleague to another on a subject, which is currently under discussion, is unlikely to raise suspicion.”

For example, an email might be sent claiming to be a shared document hosted on Google Drive by a “coworker” to an employee of a startup. In a sample obtained by Kaspersky, a notification was sent when the trap document was opened.

In another example, an email was passed as a forward that appears to have been sent by a coworker, potentially increasing trust as the message appeared to have already been verified.

The APT also impersonates legitimate companies in phishing emails, including Coinsquad, Emurgo, Youbi Capital and Sinovation Ventures.

CVE-2017-0199, a remote code execution (RCE) vulnerability, can trigger a remote script related to malicious documents. The exploit will retrieve a payload from a URL embedded in these files, and a remote model is also extracted. When combined, base64 encoded binary objects and a VBA macro become available and then used to generate an elevation of privilege process before the core payload is executed on a target system.

“Interestingly, BlueNoroff shows improvement in opsec at this point,” Kaspersky said. “The VBA macro does a cleanup by removing binary objects and the reference to the remote model from the original document and saving it to the same file. This essentially disarms the document, leaving investigators scratching their heads during the analysis. . ”

Other chains of infection observed include the use of compressed Windows shortcut files or malicious Word documents used to retrieve secondary stage payloads.

At this point, a PowerShell agent is used to deploy a backdoor. The malware is able to remotely connect to its operator’s Command and Control (C2) server, manipulate processes and registry, execute commands and steal data stored by Chrome browser, Putty and WinSCP . In addition, a secondary backdoor, keylogger, and screenshot tool can also be launched on the machine.

The final payload is a custom backdoor that has only been seen in attacks carried out by BlueNoroff. This malware will collect system and configuration data related to cryptocurrency software and attempt to interpose itself between transactions from hardware wallets.

It’s especially important to note that when victims use browser extensions to manage their crypto, the Metamask extension, for example, will be tampered with to monitor transactions and allow attackers to choose the right time to strike.

The researchers explained how these attacks take place:

“When the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, since the action was initiated by the user at the right time, the user does not suspect anything suspicious. and confirms the transaction on the secure device without paying attention to the details of the transaction.

The user doesn’t get too worried when the payment amount they enter is small and the error seems insignificant. However, the attackers not only change the recipient’s address, but also push the amount of currency to the limit, essentially emptying the account in one fell swoop. ”

The victims have been located in Russia, Poland, the United States, Hong Kong, Singapore, China and other countries.

Prior and related coverage

Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or on Keybase: charlie0




The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: cgurgu@internetmarketingcompany.BizWebsite: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos

All Today's Crypto News In One Place