BlueNoroff hackers steal encryption using fake MetaMask extension

North Korea’s dangerous group BlueNoroff has been spotted distributing malicious documents and fake MetaMask browser extensions to cryptocurrencies. The main motive for this grouping is to earn money, but due to the group’s competence in achieving its goals, academics have previously concluded that it is a branch of the Lazarus gang in North Korea . Despite the fact that BlueNoroff has been operating for several years, its structure and operations remain a mystery.

The Kaspersky report seeks to shed light on their activities, using intelligence collected from the last observed activity, which dates back to 2021. November.

Targets

Cryptographic start-ups in the United States, Russia, China, India, the United Kingdom, Ukraine, Poland and the Czech Republic, as well as in the United Arab Emirates, Singapore, Estonia , Vietnam, Malta, Germany and Hong Kong, have been the target of recent attacks.

Victim card for last campaign
Source: Kaspersky

The purpose of malicious attackers is to gain access to internal company communications and to map interactions between employees that could be used for social manipulation. For example, they can break into an employee’s LinkedIn account and then share a link on the platform that contains malware. In addition, BlueNoroff uses internal company communications to name documents with the correct names and send them to the target employee in a timely manner.

Email used in recent BlueNoroff campaigns
Source: Kaspersky

To track their campaign, they include a third-party tracking service (Sendgrid) to alert you when a victim opens a sent document.

The names and logos of the companies imitated by BlueNoroff are shown below:

Logos and companies used for social manipulation attacks
Source: Kaspersky

As Kaspersky notes, these companies may not be at risk and Sendgrid may not be aware that they are being abused by North Korean APTs.

Chains of infection

The first infection chain consists of documents that contain VBS scripts that can be exploited to exploit the remote template insertion vulnerability (CVE-2017-0199).

The first chain of infection
Source: Kaspersky

The second chain of infection is based on sending an archive containing a shortcut file and a password-protected document (Excel, Word or PDF).

Another chain of infection
Source: Kaspersky

The LNK file, which is said to contain the password to open the document, runs a series of scripts that retrieve the information needed for the next step.

Finally, the back door of the infected computer has the following functions:

• Manipulating files
• Process manipulation
• Registry manipulation
• Manipulating commands
• Configuration update
• Steal saved data from Chrome, Putty, and WinSCP

Fake MetaMask robs people of their cryptocurrency

BlueNoroff collects configuration files related to cryptocurrency, while also stealing account information that can be used to access the wider network. When attackers discovered that they had a significant target, Kaspersky found that they kept an eye on them for weeks or months. When creating a financial theft plan, keystrokes were recorded and the user’s daily activities were monitored.

Bitcoine and other cryptocurrencies can be stolen by replacing browser extensions that manage wallets with modified extensions that are stored in the user’s computer memory.

Modified part of the Metamask program
Source: Kaspersky

Modifying the Metamask Chrome extension requires a careful review of 170,000 lines of code, which says a lot about BlueNoroff’s capabilities and commitment. The only way to find out if an extension is fraudulent is to open your browser in developer mode and view the extension’s source code.

An extension that shows the local folder as the installation source
Source: Kaspersky

Attackers can steal money from the target’s hardware wallet by changing the recipient’s address while waiting for transactions. Because they have only one option before the victim understands the hack, hackers also maximize the amount of the transaction by clearing the user’s assets with just one move.

Signs of appropriation

According to Kaspersky experts, PowerShell scripts and backends have many common features in recent and earlier operations.

Similarities of different backdoor codes
Source: Kaspersky

In addition, the method used to obtain the C2 address is similar in 2016. the method used in. It uses a hardcover DWORD value to find the IP address using XORing. Also, as part of another chain of infection, the Windows shortcut file metadata contains Korean characters.

Always remember to double-check what you download and stay away from suspicious websites, links and documents!
And no, Vitalik Buterin will not duplicate your crypt! : D