According to her report Kaspersky, a hacking group from North Korea known as “BlueNoroff" It looks like targets cryptocurrency startups with malicious documents and fake MetaMask browser extensions.
The motivation of this group is purely financial, but its sophisticated and sophisticated methods had previously led researchers to conclude that it is a subgroup of the known gang. Lazarus (linked to the North Korean government).
BlueNoroff hackers have been active for several years, but we do not know much about their structure and operation.
A Kaspersky report seeks to shed some light on the data collected during their most recent campaign, in November 2021.
According to the researchers, the latest attacks, which were discovered, focused on cryptocurrency startups located in different countries, such as: USA, Russia, China, India, Germany, United Kingdom, Poland, Ukraine, Czech Republic, Estonia, UAE, Malta, Singapore, Vietnam and Hong Kong.
Cybercriminals are trying to violate the communications of the employees of these companies, tracking their interactions so they can perform social engineering attacks. So, they would only resort to this as a last resort.
In some cases, hackers violated the account LinkedIn an employee and shared a link to download a macro document, directly on the platform.
To track their campaign, hackers include an icon from a third-party tracking service (Sendgrid) to receive a notification when the victim opens the sent document.
The names and logos of the companies that BlueNoroff used to deceive its employees are shown below:
As Kaspersky points out, these companies may not have been breached and Sendgrid may not have known (now notified) that the hacking team was abusing its services.
Ways of infecting systems
The first infection chain uses documents with VBS scripts, which take advantage of an old remote template injection vulnerability (CVE-2017-0199).
The second infection chain is based on send an archive containing a shortcut file and one password protected document (Excel, Word or PDF). The LNK file that is supposed to contain the code access to open the document starts a series scripts that install the second stage payload.
In both cases, one is installed backdoor on the infected device. The backdoor has the following functions:
- Directory / file handling
- Procedure handling
- Registry handling
- Execute commands
- Configuration update
- Stealing saved data from Chrome, Putty and WinSCP
Fake MetaMask extension steals cryptocurrencies from victims
The BlueNoroff hackers steal credentials users that can be used for lateral movement and deeper network penetration, while also collecting configuration files related to cryptocurrency software.
"In some cases where attackers realized they had found a large target, they closely monitored the user for weeks or months.", Says the report of Kaspersky.
"They collected keystrokes and monitored the user's daily operations while plotting a theft strategy".
The main trick of hackers to steal cryptocurrency assets is the replacement of the basic elements of wallet management browser extensions with falsified versions.
These hackers used a modified version of the Metamask extension.
Victims can only detect that the extension is fake if they change the browser to Developer mode and see that the source of the extension shows a local directory and not the online store.
The use of the fake Metamask extension, allows hackers to steal cryptocurrency when the target uses a hardware wallet. Criminals are waiting for transactions and steal the amounts by changing the recipient's address.
Because they have only one chance before the victim realizes the infection, the hackers change the amount of the transaction as much as possible, exhausting assets in one go.
More details can be found at Kaspersky report.
Source: Bleeping Computer