Connect with us

Hi, what are you looking for?

Technology

BlueNoroff hackers steal crypto using fake MetaMask extension

NorthKoreaCrypto


North Korea and cryptocurrency

The North Korean threat actor group known as ‘BlueNoroff’ has been spotted targeting cryptocurrency startups with malicious documents and fake MetaMask browser extensions.

The motive of this group is purely financial, but its sophistication in carrying out objectives has previously led researchers to conclude that this is a sub-group of the North Korean Lazarus gang.

Although BlueNoroff has been active for several years, its structure and operation have been shrouded by mystery.

A report by Kaspersky attempts to shed some light by using intelligence collected during the most recent activity observed, dating back to November 2021.

Targets

The latest attacks are focused on cryptocurrency startups located in the US, Russia, China, India, the UK, Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.

Victim map on the latest campaign
Victim map on the latest campaign
Source: Kaspersky

The threat actors attempt to infiltrate the communications of these firms and map the interactions between the employees to derive potential social engineering pathways.

In some cases, they do this by compromising the LinkedIn account of an employee and sharing a link to download a macro-laced document right on the platform.

BlueNoroff uses these real discussions to name laced documents accordingly and send them to the target employee at the right time.

Advertisement. Scroll to continue reading.
Email used in latest BlueNoroff campaigns
Email used in latest BlueNoroff campaigns
Source: Kaspersky

To track their campaign, they include an icon from a third-party tracking service (Sendgrid) to get a notification when the victim opens the sent document.

The company names and logos impersonated by BlueNoroff are shown below:

Logos and firms used for social engineering attacks
Logos and firms used for social engineering attacks
Source: Kaspersky

As Kaspersky points out, these companies may not have been compromised, and Sendgrid may not know (was notified) that North Korean APTs are abusing them.

Infection chains

The first infection chain uses documents that feature VBS scripts, which exploit an old remote template injection vulnerability (CVE-2017-0199).

First infection chain
First infection chain
Source: Kaspersky

The second infection chain relies on sending an archive that contains a shortcut file and a password-protected document (Excel, Word, or PDF).

Second infection chain
Second infection chain
Source: Kaspersky

The LNK file that supposedly contains the password to open the document initiates a series of scripts that fetches the next-stage payload.

Eventually, in both cases, a backdoor with the following functionalities is dropped onto the infected machine:

  • Directory/File manipulation
  • Process manipulation
  • Registry manipulation
  • Executing commands
  • Updating configuration
  • Stealing stored data from Chrome, Putty, and WinSCP

Fake MetaMask steal crypto from victims

BlueNoroff steals user credentials that can be used for lateral movement and deeper network infiltration, while they also collect configuration files relevant to cryptocurrency software.

“In some cases where the attackers realized they had found a prominent target, they carefully monitored the user for weeks or months,” reads Kaspersky’s report.

“They collected keystrokes and monitored the user’s daily operations while planning a strategy for financial theft.”

The main trick employed to steal the cryptocurrency assets is to replace the core components of wallet management browser extensions with tampered versions that are dropped on local memory.

Tampered component on the laced Metamask plugin
Tampered component on the laced Metamask plugin
Source: Kaspersky

Kaspersky notes that tampering with the Metamask Chrome extension requires a thorough analysis of 170,000 lines of code, indicative of the skills and determination of BlueNoroff.

Victims can only detect the extension is fake by switching the browser to Developer mode and seeing the extension source pointing to a local directory rather than the online store.

Extension showing a local folder as an installation source
Extension showing a local folder as an installation source
Source: Kaspersky

When the target uses a hardware wallet, the actors wait for transactions and hijack the amounts by changing the recipient’s address.

Because they have only one chance before the victim realizes the infection, the actors also change the transaction amount to the maximum possible, draining the assets in one move.

Clues for attribution

On the aspect of attribution, Kaspersky researchers report seeing overlaps and similarities between PowerShell scripts and backdoors used in the latest and past campaigns.

Advertisement. Scroll to continue reading.
Code similarities between different backdoors
Code similarities between different backdoors
Source: Kaspersky

Moreover, the C2 address acquisition scheme is similar to the 2016 attacks, using a hardcoded DWORD value to resolve an IP address via XORing.

Finally, the metadata on the Windows shortcut files dropped as part of the second infection chain contain Korean characters.



Source link

Click to comment

Leave a Reply

Latest

Top Stories

The provision in the U.S. infrastructure bill signed into law in November, which will require financial institutions and crypto brokers to report additional information,...

Social Media

As it looks to add more ways to help creators to build their presence, and monetize their work in the app, Facebook is launching...

Technology

In context: Tensor cores have been one of the main advantages of Nvidia’s RTX graphics cards, enabling machine learning-based image upscaling, which significantly improves...

Online Business Success

Small Town Cultures pickles. Small Town Cultures Small Town Cultures A family-based fermentation company located in upstate New York, bring simple, clean fermented foods...

Social Media

Snapchat has officially launched its new Snapchat+ subscription service, which will enable users to pay a monthly fee in order to gain access to...

Top Stories

Bear markets can be incredibly harsh for projects that have little adoption or lack an applicable use case, but projects that dedicate to building...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement