Kaspersky identifies BlueNoroff, a threat actor targeting cryptocurrency startups

Kaspersky individua BlueNoroff, threat actor che colpisce le startup di criptovaluta thumbnail

The experts of Kaspersky they uncovered a series of attacks of the APT group (Advanced Persistent Threat) BlueNoroff, aimed at small and medium-sized businesses around the world, which aimed to steal cryptocurrency.

Kaspersky identifies BlueNoroff – that’s what it is

In the latest BlueNoroff campaign, the attackers sent employees of the targeted companies one backdoor Windows complete with surveillance functions in the guise of a fake “contract” or a similar business document. In order to be able to empty the victim’s cryptocurrency wallet, the attacker has developed very complex and dangerous resources. Among them we find infrastructure complex, exploit e malware implants.

BlueNoroff is part of the best known Lazarus group and uses the diversified structure and the sophisticated technologies of attack. The APT Lazarus group is known for attacks on banks e servers connected to SWIFT. It is also recognized for creating fake companies that they were meant to develop cryptocurrency software. In this way, the deceived users installed legitimate looking app which, in fact, were receiving backdoors disguised as updates.

Now this “branch” of Lazarus is attacking the startup in cryptocurrency, mostly made up of small or medium-sized businesses that they don’t have the chance to invest heavily in their internal security system.

To gain the victim’s trust, BlueNoroff pretends to be one venture capital company really existing. Cybercriminals have chosen the cryptocurrency startup industry because these companies often receive mail or files from unknown sources.

For example, a venture capital firm is usual send contracts The other files business related. APT groups leverage these activities as a bait for persuade victims to open attached files, that is, documents capable of loading from external sites, malicious “templates”.

What happens if the document is opened?

Open the document in offline mode it would not pose a danger, it would in fact be a harmless document. Opening it with a computer connected to the Internet, however, a new document, enabled for, would automatically download on the victim’s device macro and distributed malware.

This APT group has various infection tactics in its arsenal and creates the chain of infection depending on the situation. In addition to the infected Word documents, criminals also spread malware disguised as Windows shortcut files compressed.

Thereafter, the attackers track the victims for weeks and months, recording all key sequences e monitoring the user’s daily operations. The moment they find an important goal they use one popular browser extension (e.g. Metamask) to manage cryptocurrency wallets, criminals replace the main component of the extension with a fake version.

According to the researchers, the attackers receive a notification the moment the victims make large money transfers. When the victim tries to transfer some funds to another account, the attackers intercept the transaction process and execute malicious code. When to complete the payment the user clicks on the button “approve” the cybercriminals change the recipient’s address. They also maximize the transaction amount, draining all account funds.

Seongsu Park, Senior Security Researcher del Global Research and Analysis Team (GReAT) di Kaspersky, ha detto:

As cybercriminals continually develop new methods for their attacks, even small businesses should train their employees on basic cybersecurity. It is especially important to do this if the company works with cryptocurrency wallets: there is nothing wrong with using services and extensions of this kind, but you have to take into account that they are a lure for APTs and cybercriminals. Therefore, this sector must be well protected.

Kaspersky tips

For adequate business protection, Kaspersky suggests the following:

  • Train your staff with a basic cybersecurity course;
  • Perform a IT security audits of their networks and correct any weaknesses discovered in the perimeter or within the network;
  • Entering the dummy extension is difficult to locate manually, unless you are familiar with the codebase Metamask. However, a change to the Chrome extension would leave a trace. The browser must be set in developer mode so that the Metamask extension is installed by a directory locale instead of from the online store. If the plugin came from the store, Chrome would enforce digital signature validation for the code and ensure its integrity. So if in doubt, check the Metamask extension and Chrome settings.
  • To install anti-APT and EDR solutions, which enable threats to be detected, and incidents to be identified and resolved promptly. Provide your SOC team with access to the latest threat intelligence and provide regular professional training. All of this is available within the Kaspersky Expert Security framework.
  • Along with adequate endpoint protection, dedicated services can help against high profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in the early stages, before the attackers reach their goals.