SnatchCrypto attack hits DeFi and Blockchain Platforms with backdoor

Kaspersky researchers believe that North Korean government-backed hackers from the Lazarus Group are behind the SnatchCrypto attack.

The IT security researchers at Kaspersky have revealed details of a new campaign that the company has been tracking under the name SnatchCrypto.

According to Kaspersky’s research, this campaign entails emptying cryptocurrency wallets of those organizations that are part of crypto and financial spaces.

Countries targeted in SnatchCrypto attack

Research reveals that the campaign has been active since 2017 and its main targets are FinTech sector firms in the following countries:

India
China
Poland
Russia
Ukraine
Vietnam
Slovenia
Singapore
Hong Kong
United States
Czech Republic
United Arab Emirates

How the attack takes place

In a blog post, Kaspersky researchers explained how the attack works and how unsuspected users are tricked into giving away their funds.

“When the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details.”

“The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address but also push the amount of currency to the limit, essentially draining the account in one move.”

BlueNoroff Responsible for the Campaign

Kaspersky researchers claim that the SnatchCrypto campaign is the work of an advanced persistent threat group known as BlueNoroff, which is suspected of having links with the North Korean hacking group Lazarus APT.

Lazarus is tied to cyberattacks against the financial and banking sector and specializes in SWIFT-based intrusions in Bangladesh, Vietnam, and Taiwan. The group was branded as one of the leading threats to FinTech firms along with FIN7 and Cobalt Strike.

“The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure,” Kaspersky researchers noted.

Reportedly, the group conducted a series of attacks against small and medium-sized firms that dealt in cryptocurrency, the blockchain, virtual assets, decentralized finance or DeFi, smart contracts, and FinTech.

This group builds and abuses trust to compromise company networks. It spends a lot of time getting to know its victims before launching the attack and has been studying cryptocurrency startups since November 2021. It also impersonates legit firms in phishing emails, including Emurgo, Coinsquad, Youbi Capital, and Sinovation Ventures.

“BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion,” Kaspersky report read.

CVE-2017-0199

A remote code execution flaw tracked as CVE-2017-0199 is used to trigger a remote script linked to malicious files. The exploit fetches a payload from a URL embedded in those files. It also pulls a remote template.

With these combined, a VBA macro and base64-encoded binary objects become available and are used to spawn a process for privilege escalation before executing the primary payload on a target system.

“Interestingly, BlueNoroff shows improved opsec at this stage. The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis,” researchers explained.

It is worth noting that CVE-2017-0199 is being exploited since 2017. In August 2017, Palo Alto Networks Unit 42 discovered a phishing scam called FreeMilk that was hijacking active email conversations to deploy malware with the help of the same vulnerability.

In October 2017, Trend Micro found CVE-2017-0199 was exploited to use Windows Object Linking, and Embedding (OLE) flaw to spread malicious PowerPoint files by evading antivirus detection.

As for the ongoing attack, researchers observed additional infection chains, including zipped Windows shortcut files or malicious Word documents to fetch secondary-stage payloads. A PowerShell agent then deploys a backdoor.

Furthermore, the malware remotely connects to its operator’s C2 server, manipulates the registry and processes, executes commands, and steals data stored in the Chrome browser, WinSCP, and Putty.

At this stage, attackers can also launch another backdoor, screenshot taker, and keylogger. The final payload used by BlueNoroff is a custom backdoor that collects system data and cryptocurrency software-related configuration and interjects between transactions carried out through hardware wallets.