CryptoCore Hackers Target Password Manager Accounts

CryptoCore Targets Password Manager Accounts

Yesterday, cybersecurity company ClearSky published a report on a hacking group called CryptoCore. Also known as Dangerous Password and Leery Turtle, the gang is allegedly located in Eastern Europe, and its actions have been followed by other security outfits as well. ClearSky's experts reckon, however, that CryptoCore's operations are much bigger than initially estimated. They think that since May 2018, the crew has managed to rake up as much as $200 million in illegal profits. Yesterday's report sheds some light on how it managed to do it.

The reconnaissance

CryptoCore's victims are almost exclusively cryptocurrency exchanges and companies working with them. Before executing the actual attack, the hackers go through a long reconnaissance process, which consists of identifying the high-ranking employees that they'll target, gathering as much intelligence about them as possible, and, in some cases, compromising their personal email accounts.

According to ClearSky, the attacks on personal emails are easier to pull off, but more importantly, they provide an excellent source of information and can help hackers compromise the target's corporate inbox. The actual attack chain is a mixture of proven techniques and new, innovative tricks that, if ClearSky's estimates about the $200 million in profits are correct, clearly work rather well.

The social engineering

The attacks start with spearphishing emails that vary in their degree of sophistication. In some cases, the messages are rather suspicious-looking, and in others, bar the odd misplaced comma, they're almost perfect both in terms of grammar and social engineering.

In most attacks, the cryptocurrency exchange's executives are told that by clicking a link, they'll get access to an important work-related document. CryptoCore makes heavy use of domain names that look similar to popular online platforms like Google Drive, and in some of the attacks, the hackers employ HTML to hide the malicious URLs behind legitimate-looking links. The hackers have also used URL-shortening services not only because they could help them evade detection but also because they give them an idea of how many victims fall for the scheme.

Targets who do click through download an archive with two files. The first one is a password-protected PDF, DOCX, or XLSX file that is supposedly the work-related document mentioned in the body of the email. The victim is led to believe that the password that unlocks it is stored in "password.txt" – the second file in the archive.

The more observant recipients, however, might notice that the password.txt file actually has a double-extension. Its full name is "password.txt.lnk," and it's where the actual attack starts.

The attack

LNK files are regular Windows shortcuts, and they have been used by other cybercriminal gangs as well. CryptoCore's LNK file links to a piece of malicious VBS code that connects to the Command and Control server (C&C) and proceeds to the next stage of the attack. To ensure that the victim is none the wiser, the script downloads and opens a TXT file that contains what looks like the promised password.

In the background, however, it downloads and stores the payload in the %temp% folder and places another VBS file in the startup directory in order to ensure that the malware starts whenever the PC boots up.

The heist

As we mentioned already, CryptoCore's attacks target key employees of cryptocurrency exchanges, which means that regular users are unlikely to be affected by this particular campaign. This doesn't mean that people shouldn't pay attention to it, though.

ClearSky's experts didn't name the specific tools used in CryptoCore's attacks, but they did say that the cybercriminals are going after victims' password manager accounts. In there, the hackers find the information they need to redirect millions worth of digital coins from the exchange's active wallets to addresses controlled by them.

The actual mechanisms of breaking in remain unknown, and there's no information on whether specific password management applications are targeted. The stolen cryptocurrency proves, however, that the attacks have been successful, which could raise suspicion toward password managers in some users. It would be completely unwarranted.

Password managers are the best tools for organizing and storing login data, and there should be no doubt about this in anyone's mind. Unfortunately, even a password manager's defenses can be weakened by poor cybersecurity hygiene on the user's part. People need to remember that their master password must be strong, long, and, crucially, unique, and they must take advantage of additional security features like two-factor authentication that some password managers offer. We might not have the technical details around CryptoCore's attacks, but we do know that they are all dependent on the user clicking a link in an email, as well, which goes to show that it's high time everyone starts treating the messages in their inbox with a healthy dose of suspicion.

June 25, 2020

Leave a Reply