March 22, 2023

BlueNoroff, an APT group that’s part of the larger Lazarus Group associated with North Korea, is behind a series of attacks against small and medium-sized companies that have led to serious cryptocurrency losses.

The campaign, dubbed SnatchCrypto, targets organizations that deal with cryptocurrencies and smart contracts, decentralized finance, blockchain, and the financial technology industry in their work. These companies were targeted for a reason, Startups often receive messages and documents from unfamiliar senders.

Advertisements

As most cryptocurrency businesses are small or medium-sized startups, they cannot invest lots of money into their internal security system.The actor understands this and takes advantage by using elaborate social engineering schemes.

The attackers attempt to manipulate the victim by pretending to be an existing venture capital firm. Researchers saw the names of more than 15 venture businesses used in these attacks but believe the actual organizations have nothing to do with the threat.

Attackers send these startup employees a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file. If the file is opened on a device connected to the Internet, another macro-enabled document would be obtained to deploy malware.

This malware sends the target’s general information and PowerShell agent to the attackers, creating a backdoor. From there, BlueNoroff deploys additional tools, including a keylogger and screenshot taker, to monitor victims. After weeks or months of tracking, the attackers find a prominent target and use the data they’ve collected to steal large amounts of cryptocurrency from them.

Advertisements

Indicators of compromise

Malicious shortcut files

  • 033609f8672303feb70a4c0f80243349
  • 2100e6e585f0a2a43f47093b6fabde74
  • 4a3de148b5df41a56bde78a5dcf41975
  • 5af886030204952ae243eedd25dd43c4   
  • 5f761f9aa3c1a76b17f584b9547a01a7   
  • 7a4a0b0f82e63941713ffd97c127dac8   
  • 813203e18dc1cc8c70d36ed691ca0df3
  • 961e6ec465d7354a8316393b30f9c6e9 
  • 9ea244f0a0a955e43293e640bb4ee646
  • a3c61de3938e7599c0199d2778f7d417   
  • a5d4bfc3eab1a28ffbcba67625d8292e
  • a94529063c3acdbfa770657e9126b56d
  • ab095cb9bc84f37a0a655fbc00e5f50e
  • b52d30d1db40d5d3c375c4a7c8a115c1
  • dd2569684ca52ed176f1619ecbfa7aaa
  • dff21849756eca89ebfaa33ed3185d95
  • e18dd8e61c736cfc6fff86b07a352c12
  • e546b851ac4fa5a111d10f40260b1466
  • e6e64c511f935d31a8859e9f3147fe24   
  • ea7ed84f7936d4cbafa7cec51fe39cf7
  • f414f6590636037a6ec92a4d951bdf55
  • 4e207d6e930db4293a6d720cf47858fc
  • 5e44deca6209e64f4093beae92db0c93   
  • 84c427e002fd162d596f3f43ce86fd6a   
  • c16977fefbdc825a5c6760d2b4ea3914
  • e5d12ef32f9bd3235d0ac45013040589
  • 09bca3ddbc55f22577d2f3a7fda22d1c   
  • 0eb71e4d2978547bd96221548548e9f0   
  • da599b0cde613b5512c13f299fec739e   
  • 0c9170a2584ceeddb89e4c0f0a2353ed   
  • 5053103dd5d075c1dc54edf1f8568098   
  • 536bae311c99a4d46f503c68595d4431   
  • 3078265f207fed66470436da07343732   
  • 15f1ae1fed1b2ea71fdb9661823663c6   
  • 56fe283ca3e1c1667191cc7764c260b6   
  • 850751de7b8e158d86469d22ad1c3101   
  • 1a8282f73f393656996107b6ec038dd5   
  • 2ea2ceab1588810961d2fc545e2f957e    
  • 561f70411449b327e3f19d81bb2cea08   
  • 3812cdc4225182326b1425c9f3c2d50b   
  • 4274e6dbc2b7aee4ef080d19fff47ce7   
  • 427bdfe4425e6c8e3ea41d89a2f55870   
  • 7a83be17f4628459e120a64fcab70bac   
  • 5d662269739f1b81072e4c7e48972420   
  • 244a23172af8720882ae0141292f5c47   
  • a8e2c94abb4c1e77068a5e2d8943296c   
  • 89c26cefa057cf21054e64b5560bf583   
  • 805949896d8609412732ee7bfb44900a   
  • a2be99a5aa26155e6e42a17fbe4fd54d   
  • 28917b4187b3b181e750bf024c6adf70   
  • 9f8e51f4adc007bb0364dfafb19a8c11   
  • 790a21734604b374cf260d20770bfc96    
  • db315d7b0d9e8c9ca0aa6892202d498b   
  • 02904e802b5dc2f85eec83e3c1948374   
  • baebc60beaced775551ec23a691c3da6
  • 302314d503ae88058cb4c33a6ac6b79b    
  • aeac6f569fb9a7d3f32517aa16e430d6   
  • 926DEEAF253636521C26442938013204
  • 8064e00b931c1cab6ba329d665ea599c   
  • bcb4a8f190f2124be57496649078e0ae
  • 781a20f27b72c1c901164ce1d025f641   
  • 483e3e0b1dceb4a5a13de65d3556c3fe  
  • Malicious documents
  • 00a63a302dcaffc9f28826e9dba30e03   
  • ee9dda6bbbb1138263873dbef36a4d42   
  • 0f1c81c2023eae0fc092ce9f58213bcf   
  • 491e0d776f01f102d36155a46f1a8e3c   
  • c33ce08ebcc6e508bb3a17e0fa7b08f8   
  • b1911ef720b17aeed69ec41c8e94cc1e
  • 340fb219872ce3c0d3acf924f4f9e598   
  • 380e9e78dc5bc91fb6cdd8b4a875f20a
  • eb18ac97dba79ea48c185fb2826467fe
  • 2a9ff6d80cdd4aeed1c48a1ccdc525dd   
  • ecf75bec770edcd89a3c16d3c4edde1a   
  • 6c4943f4c28a07ee8cae41dad16d72b3   
  • f76e2e6bfbee77ae36049880d7c227f7   
  • 7aec3d1b24ed0946ab740924be5834fa   
  • 47e325e3467bfa80055b7c0eebb11212   
  • 1e0d96c551ca31a4055491edc17ce2dd   
  • bcf97660ce2b09cbffb454aa5436c9a0   
  • 13ff15ac54a297796e558bb96feaacfd   
  • cace67b3ea1ce95298933e38311f6d0b   
  • 645adf057b55ef731e624ab435a41757   
  • bde4747408ce3cfdfe8238a133ebcac9   
  • 421b1e1ab9951d5b8eeda5b041cb0657   
  • d2f08e227cd528ad8b26e9bbe285ae3c   
  • 04deb35316ebe1789da042c8876c0622   
  • af4eefa8cddc1e412fe91ad33199bd71   
  • 34239a3607d8b5b8ddd6797855f2e827   
  • 389172d2794d789727b9f7d01ec27f75   
  • f40e7998a84495648b0338bc016b9417   
  • c8c2a9c50ff848342b0885292d5a8cd4   
  • adf9dc317272dc3724895cb07631c361   
  • 158d84c90a79edb97ec5b840d86217c7   
  • e26725f34ebcc7fa9976dd07bfbbfba3   
  • a435acb5bac92b855d1799a685507522
  • 9969b67ef643bed20a38346dcd69bec4
  • a6446bfea82b69169b4026222ca253b2
  • bdf1643c3a10a25d3aba2c4c608ec5d5
  • b4b695c8e6fea95db5843a43644f88b0
  • d8561c74ad9624d7c35c0fb15d3ca8fe
  • f9195b14ed20b30b7c239d50e6418151
  • 3dd638551b03a36d13428696dcada5d8
  • f26eaa212c503aaba6e5015cb8ef44b5   
  • 793de76de6d4015ebdd5e552ac5b2f90   
  • 709ec9fbbc3c37ccd39758527c332b84   
  • 89099235aad37a29b7acedc96fda0037   
  • 358791e1abd64f490c865643a3fbb93d   
  • cea54a904434c66f217fbadc571e1507  
  • 9be0075b9344590b3cabf61c194db180   
  • 98e30453bbf1c9c9f48368f9bbe69edd   
  • Injected remote template
  • 3dd638551b03a36d13428696dcada5d8
  • 2da244dc9bbdbf2013b7fbc2a74073a2
  • f3157dc297cb802c8ae2f07702903bfa
  • Visual Basic Script
  • ce09cdb7979fb9099f46dd33036b9001
  • f7f4aa55a2e4f38a6a3ea5a108baedf5   
  • Powershell
  • ae52b28b360428829c4fcdc14e839f19  
Tags:

Leave a Reply

Related Post

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023

You may have missed

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
%d bloggers like this: