New Crypto Theft Campaign Hunts for Big Game
A new campaign aiming not at individuals' crypto wallets but at the wallets of larger organizations is afoot. The new malicious push has been given the nickname SnatchCrypto and is believed to be backed by North Korean state funds.
Spearheaded by Branch of the Lazarus APT
According to the security researchers who disclosed the SnatchCrypto campaign, the entity behind the whole thing appears to be an offshoot of the North Korean-backed Lazarus APT, called BlueNoroff. Lazarus is the larger parent entity that has made headlines multiple times over the past years. Lazarus operators specialize in hitting financial institutions and platforms, so it's no wonder they would be involved in SnatchCrypto as well.
So far BlueNoroff has pulled off multiple attacks against organizations connected to cryptocurrency at large. What researchers noted is that the BlueNoroff APT takes a lot of time and prepares very carefully when approaching its victims and likely uses a mix of social engineering and fake but believable business correspondence to gain the trust of some of its victim's members.
ZDNet quoted the researchers who published a paper on BlueNoroff, stating that they go so far as to pinpoint "topics of interest" within the targeted organization and then send out malicious documents and files closely tied to the topic of internal company discussion. This is a level of dedication and precision few APTs can display.
The attacks employed by BlueNoroff employ a remote-code execution vulnerability to grab the payload from a server. System access privileges are escalated before the main payload is deployed.
Sweep and Clear Tactics
One very interesting tidbit that BlueNoroff does in their attack is that they have a VisualBasic macro that is used to remove the link to the malicious payload stored in the original document used to start the attack. This means that the file is, for all intents and purposes, cleaned and safe, which creates further complications for security researchers.
The attack finishes with the deployment of a custom-made backdoor tool that monitors the host system and tries to intercept and interject when it detects a cryptocurrency transaction.
According to statistics collated by security researchers with Chainalysis, over the course of 2021 North Korean threat actors managed to steal a mind-boggling $400 million in crypto.