New Crypto Theft Campaign Hunts for Big Game

A new campaign aiming not at individuals' crypto wallets but at the wallets of larger organizations is afoot. The new malicious push has been given the nickname SnatchCrypto and is believed to be backed by North Korean state funds.

Spearheaded by Branch of the Lazarus APT

According to the security researchers who disclosed the SnatchCrypto campaign, the entity behind the whole thing appears to be an offshoot of the North Korean-backed Lazarus APT, called BlueNoroff. Lazarus is the larger parent entity that has made headlines multiple times over the past years. Lazarus operators specialize in hitting financial institutions and platforms, so it's no wonder they would be involved in SnatchCrypto as well.

So far BlueNoroff has pulled off multiple attacks against organizations connected to cryptocurrency at large. What researchers noted is that the BlueNoroff APT takes a lot of time and prepares very carefully when approaching its victims and likely uses a mix of social engineering and fake but believable business correspondence to gain the trust of some of its victim's members.

ZDNet quoted the researchers who published a paper on BlueNoroff, stating that they go so far as to pinpoint "topics of interest" within the targeted organization and then send out malicious documents and files closely tied to the topic of internal company discussion. This is a level of dedication and precision few APTs can display.

The attacks employed by BlueNoroff employ a remote-code execution vulnerability to grab the payload from a server. System access privileges are escalated before the main payload is deployed.

Sweep and Clear Tactics

One very interesting tidbit that BlueNoroff does in their attack is that they have a VisualBasic macro that is used to remove the link to the malicious payload stored in the original document used to start the attack. This means that the file is, for all intents and purposes, cleaned and safe, which creates further complications for security researchers.

The attack finishes with the deployment of a custom-made backdoor tool that monitors the host system and tries to intercept and interject when it detects a cryptocurrency transaction.

According to statistics collated by security researchers with Chainalysis, over the course of 2021 North Korean threat actors managed to steal a mind-boggling $400 million in crypto.

By Zaib
January 14, 2022
Computer Security
English
January 14, 2022
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Malvertising Campaign Targets Millions of Users

A malvertising campaign dubbed "Tag Barnakle" has infected over 120 advertising servers in the past twelve months, according to security researchers. The goal of the large-scale campaign was to inject malicious code... Read more

April 20, 2021
Computer Security

New MageCart Campaign Dodges Researcher Sandboxes

A bad actor operating the MageCart card-stealing skimmer malware is conducting another ongoing campaign. The campaign is special, as it has an added component that allows the malware to safely dodge any researcher... Read more

November 4, 2021
Ransomware

Remove Crypto_Support Ransomware

The Crypto_Support Ransomware is a malicious application for Windows. When it infects a device, it carries out a swift file-encryption attack, which would lock users out of their files. The malware is able to cause a... Read more

January 5, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.