A North Korean hacking group, BlueNoroff, has changed its course from targeting banks and SWIFT-connected servers to going exclusively after cryptocurrency SMEs, according to the recent Kaspersky report.
The campaign by BlueNoroff, dubbed SnatchCrypto, has been in operation at least since 2017. It uses advanced phishing and social engineering techniques in order to abuse trust within companies. As such, threat actors study and analyze behaviors and interactions of employees to detect topics of interest.
After collecting the necessary data on the victims, they pretend to send what looks like a relevant and trustworthy email from one colleague to another, sharing a document or asking to review/answer questions about its contents. By including the logo of a third-party service Sendgrid, which offers user-tracking capabilities, the attacker knows exactly when the victim opens their email.
Alternatively, after hacking into an existing company, threat actors use its pathways – such as email and social media – to contact other firms and distribute weaponized documents in the form of investment contracts and similar files. Malicious actors then exploit the CVE-2017-0199 vulnerability in Microsoft Word.
“The vulnerability initially allowed automatic execution of a remote script linked to a weaponized document. The exploit relies on fetching remote content via an embedded URL inside one of the document meta files,” the report suggests.
Some of the companies targeted by BlueNoroff’s social engineering campaigns were Coinsquad, Beenos, and Dekrypt Capital. However, according to Kaspersky, there is currently no evidence that companies have been compromised.
Kaspersky warns that BlueNoroff has multiple infection chains and uses the ones most suited to a specific situation. As such, those include a Windows shortcut file and weaponized Word documents.
Through a variety of previously mentioned techniques, BlueNoroff harvests user credentials and any other account-related information. If faced with a more lucrative target, they adopt a more careful approach.
After studying the user for months prior, they determine whether they opt for a browser extension, such as Metamask, to manage crypto wallets.
“[If that is the case,] they change the extension source from Web Store to local storage and replace the core extension component (backgorund.js) with a tampered version. At first, they are interested in monitoring transactions,” the report says.
This way, as soon as the victim makes a transaction, threat actors steal funds by intercepting the process. Since the transaction was initiated by the victim, they do not think twice before authorizing it, but in fact, the details have changed – with a new recipient address and a maximum amount of crypto the victim owns inserted.
These manipulations require a serious monitoring infrastructure and a sophisticated analysis on BlueNoroff’s part. And while it is extremely difficult to spot the injection, it is not impossible.
“The browser has to be switched to Developer mode and the Metamask extension is installed from a local directory instead of the online store. If the plugin comes from the store, Chrome enforces digital signature validation for the code and guarantees code integrity,” the report reads.
If any worries arise, Kaspersky recommends checking your Metamask extension and Chrome settings.
BlueNoroff is part of the Lazarus group, which has been going after financial institutions and SWIFT-connected servers.
Earlier last year, the U.S. Treasury announced that it is imposing sanctions on a number of North Korean hacking groups, which included BlueNoroff, suggesting they are governed by RGB, a North Korean intelligence agency.
The sanctions followed Lazarus group’s involvement in the massive WannaCry 2.0 ransomware attack, affecting 200,000 computers across 150 countries, according to Europol. The incident, which was publicly attributed to North Korea, affected the UK’s National Health System, as well as numerous secondary hospital services and other organizations across the world.
BlueNoroff targets victims globally, currently being primarily interested in companies working in the fields of cryptocurrency, DeFi, and blockchains.