BlueNoroff, an Advanced Persistent Threat (APT) group that is part of the larger Lazarus group linked to North Korea, is behind a series of attacks against small and medium-sized companies that have resulted in serious losses in cryptocurrencies.
The campaign, dubbed SnatchCrypto, is targeting organizations in the cryptocurrency and smart contracts, decentralized finance, blockchain and financial technology industries in their work, reports Kaspersky researchers who observed it. There’s a reason these companies are being targeted, they say: Startups often receive messages and documents from unfamiliar senders.
“Since most cryptocurrency businesses are small and medium-sized startups, they cannot invest large sums of money in internal security systems,” the researchers wrote in a blog post. “The actors understand this, and through the use of well-designed social Engineering plans to take advantage of that.”
In this campaign, attackers attempted to manipulate victims by posing as existing venture capital firms. The researchers saw the names of more than 15 risky companies used in these attacks, but did not believe the actual organization was associated with the threat.
The researchers reported that attackers sent these startup employees a “full-featured Windows backdoor with surveillance capabilities, disguised as contracts or other business documents.” If you open the file on an Internet-connected device, you get another macro-enabled document to deploy the malware.
The malware creates a backdoor by sending the target’s general information and a PowerShell proxy to the attacker. From there, BlueNoroff deployed other tools, including keyloggers and screenshot programs, to monitor victims. After weeks or months of tracking, the attackers found a prominent target and used the data they collected to steal large amounts of cryptocurrency from them.
