Researchers have found a new malware campaign in the wild targeting crypto exchanges. Dubbed “SnatchCrypto”, this malicious campaign typically infects cryptocurrency startups with backdoors. This, in turn, helps the attackers devise precise and deceiving social engineering campaigns.
Malicious SnatchCrypto Campaign Infects Crypto Startups With Backdoors
As elaborated in a detailed post, researchers from Kaspersky have found the SnatchCrypto campaign from BlueNoroff APT targeting cryptocurrency startups.
The BlueNoroff APT first caught Kaspersky’s attention in 2016 following cyberattacks on Bangladesh Central Bank.
Since then, the threat actors have conducted numerous cyberattacks. However, the researchers have recently observed them shifting their focus towards cryptocurrency. The threat actors employ various complex strategies to conduct such attacks, such as developing fake crypto software development firms to trick victims. Installing such rogue software allows the attackers to access target systems and implant malware.
One such recent campaign is SnatchCrypto, which also installs backdoors in cryptocurrency startups. These attacks let them penetrate deep into the firm’s infrastructure and execute legit-looking attacks. As described in Kaspersky’s post,
The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions.
For instance, the threat actors trick the target service’s employees via sophisticated spearphishing emails. The attackers may take advantage of a topic under discussion between two colleagues or forward emails to others. In either case, the recipient would likely open the maliciously crafted emails arriving from a seemingly trusted sender.
While analyzing the SnatchCrypto campaign, the researchers observed the abuse of Sendgrid’s name – a US-based email distribution and marketing company. Besides, they also noticed the abuse of social media accounts (such as LinkedIn) of legit companies.
In most cases, the threat actors exploit CVE-2017-0199 vulnerability to deploy the backdoor. If they find a valuable target, the attackers steal cryptocurrency after carefully monitoring the users’ activities for weeks or months.
Active Campaigns Going On
This potent malware campaign is active in numerous countries globally. These include Russia, Slovenia, Poland, Ukraine, the Czech Republic, India, China, Hong Kong, Singapore, the US, the UAE, and Vietnam. But the researchers suspect there were more victims. Hence, crypto users need to remain careful with their emails, especially when opening attachments.
Last modified: January 21, 2022