Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what’s yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor.
Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name “SnatchCrypto,” noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam.
“The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file,” the researchers said. “In order to eventually empty the victim’s crypto wallet, the actor has developed extensive and dangerous resources: complex infrastructure, exploits and malware implants. “
BlueNoroff, and the larger Lazarus umbrella, are known for deploying a diverse arsenal of malware for a multi-pronged assault on businesses to illicitly procure funds, including relying on a mix of advanced phishing tactics and sophisticated malware, for the sanctions-hit North Korean regime and generate revenue for its nuclear weapons and ballistic missile programs.
If anything, these cyber offensives are paying off big time. According to a new report published by blockchain analytics firm Chainalysis, the Lazarus Group has been linked to seven attacks on cryptocurrency platforms that extracted almost $400 million worth of digital assets in 2021 alone, up from $300 million in 2020.
“These attacks targeted primarily investment firms and centralized exchanges […] to siphon funds out of these organizations’ internet-connected ‘hot’ wallets into DPRK-controlled addresses,” the researchers said. “Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out” through mixers to obscure the trail.
Documented malicious activity involving the nation-state actor have take the form of cyber-enabled heists against foreign financial institutions, notably the SWIFT banking network hacks in 2015-2016, with recent campaigns resulting in the deployment of a backdoor called AppleJeus that poses as a cryptocurrency trading platform to plunder and transfer money to their accounts.
The SnatchCrypto attack is no different. It’s part of an actor’s effort to “stalk and study” cryptocurrency companies by devising elaborate social engineering strategies to build trust with targets. They pose as legitimate venture capitalist firms to lure them into opening malware-laced files that contain a payload that allows the recipient to access a malicious executable via encrypted channels from remote servers.
An alternate method to initiate the infection chain involves the use of Windows shortcuts (“.LNK”) that fetch next-stage malware. This then serves as a jumping off point for executing a number of intermediate payloads. After that, a fully-featured backdoor is installed that includes “enriched” capabilities that allow you to take screenshots, capture keystrokes and steal data from Chrome browser.
The ultimate goal of the attacks, however, is to monitor financial transactions of the compromised users and steal cryptocurrency. If a target uses a Chrome extension such as Metamask for managing crypto wallets to store their cryptocurrency, then the attacker stealthily replaces the core component with an imitation version which alerts operators whenever a large transaction is initiated to another account.
In the last phase of the attack, malicious code injection is used to modify and intercept transaction details. “The attackers modify not only the recipient [wallet] address, but also push the amount of currency to the limit, essentially draining the account in one move,” the researchers explained.
“Cryptocurrency is a heavily targeted sector when it comes to cybercrime due to the decentralized nature of the currencies and the fact that, unlike with credit card or bank transfers, the transaction happens quickly and is impossible to reverse,” Erich Kron, security awareness advocate at KnowBe4, said in a statement.
“Nation-states, especially those under strict tariffs or other financial restrictions, can benefit greatly by stealing and manipulating cryptocurrency. Kron said that a lot of times a cryptocurrency wallet could contain many types of cryptocurrency making it a highly attractive target.