Recent intelligence reveals that operators linked to the Lazarus group’s BlueNoroff sub-group have orchestrated a series of cyberattacks targeting small and medium-sized enterprises across the globe. The objective of these attacks is to siphon cryptocurrency assets, marking a significant maneuver by this recognized North Korean state-sponsored actor.
Kaspersky, a prominent Russian cybersecurity firm, has identified this ongoing campaign under the name “SnatchCrypto.” They highlighted that this malicious operation has been active since 2017 and primarily targets FinTech startups situated in various countries, including China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam.
The attack methodology involves a deceptive approach where attackers exploit employee trust. They deliver a fully operational Windows backdoor disguised as business documents, such as contracts. This sophisticated tactic allows the attackers to bolster their capabilities, utilizing a complex network of exploits and malware to ultimately drain the victims’ cryptocurrency wallets.
Lazarus and its BlueNoroff faction are notorious for employing a versatile arsenal of malware in their financial operations aimed at illicit fund procurement. Their strategies entail advanced phishing techniques and sophisticated malware to undermine businesses, thereby funding North Korea’s nuclear and missile programs.
These cyber operations have yielded substantial financial gains. A recent report from blockchain analytics firm Chainalysis notes that the Lazarus Group has been implicated in various attacks on cryptocurrency platforms, amassing nearly $400 million in stolen digital assets during 2021—a significant increase from $300 million the previous year.
The attacks predominantly focused on investment firms and centralized exchanges, targeting internet-connected ‘hot wallets’ to redirect funds into addresses controlled by North Korea. Once in possession of the cryptocurrency, the attackers engage in extensive laundering operations using mixers to obscure the traceability of illicit funds.
These operations follow a history of notable heists linked to North Korea, including attacks on the SWIFT banking system. Recent tactics have involved deploying backdoors, such as AppleJeus, masquerading as cryptocurrency trading platforms to pilfer money from users unwittingly.
In the SnatchCrypto campaign, adversaries have employed sophisticated social engineering techniques to mimic legitimate venture capitalist firms, creating an illusion of trust with potential targets. Victims are lured into executing malware-laden documents, which then initiate a chain of events leading to a comprehensive compromise of their systems.
Another technique involves Windows shortcut files that retrieve additional malware components, setting off a sequence to install an advanced backdoor capable of capturing screenshots, recording keystrokes, and executing arbitrary commands. This ultimately allows the attackers to monitor and manipulate financial transactions to facilitate the theft of cryptocurrency.
As the final move, attackers employ malicious code injection to alter transaction details, enabling them to redirect transfers to addresses of their choosing. This level of precision and stealth is indicative of their adeptness at circumventing defenses. According to Erich Kron, a security awareness advocate at KnowBe4, the decentralized nature of cryptocurrency coupled with rapid transaction speeds makes this sector particularly vulnerable to cybercrime.
For organizations, understanding the tactics employed—including initial access strategies, persistence methods, and privilege escalation, as noted in the MITRE ATT&CK framework—is vital in developing robust cybersecurity defenses against such sophisticated adversaries.
