Kaspersky Researchers Detail ‘SnatchCrypto’ Malware Campaign
BlueNoroff, a suspected North Korea-backed nation-state group, is victimizing small and mid-sized cryptocurrency startups in a campaign called “SnatchCrypto,” according to new research published by cybersecurity and antivirus firm Kaspersky.
The threat actors, who have ties to the notorious, North Korea-linked Lazarus group, are known for targeting financial institutions. In 2016, the group launched an attack on Bangladesh Bank that resulted in the loss of $101 million, with $81 million unrecovered. By sending fraudulent messages in the bank’s internal communications system, SWIFT, the attackers were able to install malware on the network (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).
Kaspersky calls tactics leveraged by the attackers “extensive and dangerous,” and says the latest SnatchCrypto campaign operates through social engineering tactics, such as impersonating phony crypto-related companies or major venture capital firms. Then, attackers contact individuals via social media – usually Twitter or LinkedIn – providing a means to infect the user’s device through spear-phishing, and ultimately breaching the organization’s network, the researchers say.
“The startup crypto sphere was chosen by cybercriminals for a reason: Startups often receive letters or files from unfamiliar sources,” the researchers say, which allows the attackers to more easily transfer infected files.
The researchers recently provided a presentation to walk through the attack scenario and experts weighed in on how robust regulations in the cryptocurrency sphere, as well as security best practices and user education, can lessen the chances of these nation-states conducting cyberattacks.
‘Strong Motivation’ to Disrupt
Park Seongsu, senior security analyst for Kaspersky’s global research and analysis lab GReAT, detailed the investigation’s findings in a presentation at Belgium’s Center for Cyber Security into the investigation of BlueNoroff. More than 15 businesses, and their employees, had been affected.
Park says the attacks by this ATP group will not slow down and the actors will continue to create ever-evolving tools “with strong motivation” to carry out more cybercrimes.
Ari Redbord, a former senior official at the U.S. Department of the Treasury and an ISMG contributor, says that cryptocurrency businesses are being targeted in cyberattacks of “unprecedented speed and scale.” He says groups such as BlueNoroff are using digital tools to operate bank robbery rings for funding weaponry and other “destabilizing activity.”
“In the age of the internet, a hack meant the loss of PII. In the age of crypto, a hack could cripple a small business or result in the loss of life savings,” says Redbord, who is head of legal and government affairs at blockchain analysis firm TRM Labs. “The same qualities that make crypto such a powerful force for good – permissionless, decentralized, fast, cross-border value transfer – also make it attractive to illicit actors who want to move funds quickly. However, because of the nature of the blockchain, law enforcement has more visibility than ever before to track and trace transactions.”
Michael Fasanello, director of training and regulatory affairs for Blockchain Intelligence Group, says that BlueNoroff is exploiting crypto startups because they oftentimes do not have the means to implement and finance an aggressive security system with the ability to thwart sophisticated social engineering threats.
“Given the lack of overt action from many global regulators, including here in the U.S., data and security best practices and compliance obligations demanded of institutions operating in the traditional finance system have not yet been imposed on businesses operating in the digital assets space,” he says.
Crypto Wallet Strike
After the attackers have successfully fooled victims into opening the macro-enabled documents, BlueNoroff uses an arsenal of tools for reconnaissance, Park says. Initially, the actor might spread malware through a weaponized document with a Windows shortcut file or a PowerShell agent, creating a backdoor entry into the system. From there, BlueNoroff can deploy other malicious tools for monitoring, such as a keylogger or screenshot tool, according to Park.
Threat actors, once they have infiltrated systems, will collect data on the victim for weeks and sometimes months, planning their best available access to crypto wallets, he says.
Upon initiating the attack, the victim will see a notification for a large transaction. In an attempt to avert the transaction, attackers will inject logic, which then leads the victim – it they complete the final step and hit the “approve” button – to transfer funds directly into the actor’s crypto wallet.
‘Cyber Problem, Not a Crypto Problem’
“The administration has made clear that ransomware and malware attacks are a cyber problem, not a crypto problem,” says Redbord, adding that it is essential for businesses to educate employees about related threats, including social engineering, that exploit both network and human vulnerabilities.
Regulators and law enforcement agencies have provided guidance to combat illicit activities associated with ransomware and other cybercrimes, Redbord says.
He cites as an example the Office of Foreign Asset Control’s guidance for the cryptocurrency industry in October and its placing sanctions on crypto exchange platforms, such as the Russia-based platforms Suex and Chatex that facilitate the transactions of ill-gotten gains. Redbord also says the U.S. Department of Justice formally charged Helix and Bitcoin Fog for money laundering associated with the darknet (see: US Treasure Blacklists Cryptocurrency Exchange Chatex).
“We are likely to see authorities go after this illicit underbelly of the overwhelmingly growing and licit cryptocurrency economy, and we should also expect a focus on working with the private sector to harden cyber defenses,” Redbord says.
Blockchain Intelligence Group’s Fasanello says that until regulators enforce proper measures, including best practices for identity and access management – while leaving room for innovation – these threats will persist.