A group of hackers steals cryptocurrencies from start-ups and small businesses


Alexander Boero

January 14, 2022 at 8:45 a.m.

40

Cryptocurrency

© Alpha Footage / Shutterstock

The BlueNoroff cybercriminal group, identified by Kaspersky, specializes in stealing cryptocurrencies
from smaller companies by impersonating an existing venture capital firm.

Kaspersky researchers, who reveal the information to us, were alerted to a series of attacks carried out by an APT (advanced persistent threats) group known as BlueNoroff. The latter has launched multiple computer attacks against small and medium-sized businesses around the world. It specifically targets crypto-currency start-ups and plays with them through social engineering schemes. Let’s get into the details.

A group that specializes in building crypto software companies, with a legitimate appearance

The BlueNoroff group recently launched a campaign, dubbed SnatchCrypto. It therefore targets small businesses that manage crypto-currencies and smart contracts, working in the blockchain, FinTech industry and DeFi, this alternative financial system based on blockchain technology. On this campaign, the attackers abused the trust of the employees of these various companies. For this, they sent them a Windows backdoor complete with monitoring functions, in the form of a classic commercial file, such as a contract, for example.

To empty the cryptocurrency wallets of the targeted companies, BlueNoroff, which is part of the Lazarus group known for its sophisticated attacks on banks in particular, has relied on resources that are both hard-hitting and dangerous, such as malware implants. , complex infrastructure or other exploits. Note that the “exploits” here are attacks that take advantage of flaws in applications or other tools. They take the form of software or code, which allows them to take control of a device and steal data from it.

The BlueNoroff group has real expertise in this area and is capable of creating fake companies for the development of virtual currency software. Thus, customers falling into the trap of cyber criminal group actually think they are using legitimate applications. Only after a while do they receive updates containing backdoors.

Take advantage of the enthusiasm and ambition of young companies to indulge in surveillance, then theft

So how does BlueNoroff, which, it should be remembered, specializes in attacking crypto-currency start-ups that tend to invest less in their internal security system, manage to gain the trust of its victims? Generally speaking, it achieves this through social engineering. First, it poses as an existing venture capital firm (a firm used to helping start-ups). Kaspersky has indeed discovered that the identity of about fifteen venture capital companies was used illegally during the SnatchCrypto campaign alone.

Start-ups are often very curious and eager to appeal to these investment companies, so the slightest email or file attachment they may receive from one of these companies tempts them to open it. Let’s see it as luxury bait, in the eyes of hackers. And an email attachment obviously contains macros. If the computer that opens the file is connected to the Internet, then the path opens which allows, when the file is opened, to activate a document, via a macro, which the victim’s machine will unfortunately recover . This then leads to the deployment of the malware.

Word Blue Noroff © Kaspersky

An observant user may realize that something fishy is going on as Microsoft Word displays a standard loading pop-up window © Kaspersky

Contamination can occur either through booby-trapped Word documents or through malware disguised as zipped Windows shortcuts. Thanks to the created backdoor, BlueNoroff deploys other malicious tools that will help monitor the victim, such as screen capture software or a keylogger. And the attack then continues for weeks or even months. All keystrokes are logged, as well as the trapped user’s daily operations, which helps hackers plan an entire financial theft strategy.

The group is currently active and attacks users regardless of their country of origin © Kaspersky

The last step is to replace the main component of the browser extension used by the company to manage cryptocurrency wallets with a fake version, in particular of the Metamask extension. Cybercriminals receive a notification when they discover that their target is making large transfers. And in this case, they intercept the transaction process and then inject their own software. And the payment in all this? To reach the end of the chain, the user clicks on the “approve” button. This is when the hackers change the address of the recipient and modify the amount of the transaction (upwards, you guessed it), to purely and simply empty the account of the trapped company.

On the same subject :
Ulcan, hacker and “swater” with a dizzying record, sentenced to two and a half years in prison



Source link -99