BlueNoroff hackers steal crypto using fake MetaMask extension

The North Korean threat actor group known as 'BlueNoroff' has been spotted targeting cryptocurrency startups with malicious documents and fake MetaMask browser extensions.

The motive of this group is purely financial, but its sophistication in carrying out objectives has previously led researchers to conclude that this is a sub-group of the North Korean Lazarus gang.

Although BlueNoroff has been active for several years, its structure and operation have been shrouded by mystery.

A report by Kaspersky attempts to shed some light by using intelligence collected during the most recent activity observed, dating back to November 2021.

Targets

The latest attacks are focused on cryptocurrency startups located in the US, Russia, China, India, the UK, Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.

The threat actors attempt to infiltrate the communications of these firms and map the interactions between the employees to derive potential social engineering pathways.

In some cases, they do this by compromising the LinkedIn account of an employee and sharing a link to download a macro-laced document right on the platform.

BlueNoroff uses these real discussions to name laced documents accordingly and send them to the target employee at the right time.

To track their campaign, they include an icon from a third-party tracking service (Sendgrid) to get a notification when the victim opens the sent document.

The company names and logos impersonated by BlueNoroff are shown below:

As Kaspersky points out, these companies may not have been compromised, and Sendgrid may not know (was notified) that North Korean APTs are abusing them.

Infection chains

The first infection chain uses documents that feature VBS scripts, which exploit an old remote template injection vulnerability (CVE-2017-0199).

The second infection chain relies on sending an archive that contains a shortcut file and a password-protected document (Excel, Word, or PDF).

The LNK file that supposedly contains the password to open the document initiates a series of scripts that fetches the next-stage payload.

Eventually, in both cases, a backdoor with the following functionalities is dropped onto the infected machine:

• Directory/File manipulation
• Process manipulation
• Registry manipulation
• Executing commands
• Updating configuration
• Stealing stored data from Chrome, Putty, and WinSCP

Fake MetaMask steal crypto from victims

BlueNoroff steals user credentials that can be used for lateral movement and deeper network infiltration, while they also collect configuration files relevant to cryptocurrency software.

"In some cases where the attackers realized they had found a prominent target, they carefully monitored the user for weeks or months," reads Kaspersky’s report.

"They collected keystrokes and monitored the user’s daily operations while planning a strategy for financial theft."

The main trick employed to steal the cryptocurrency assets is to replace the core components of wallet management browser extensions with tampered versions that are dropped on local memory.

Kaspersky notes that tampering with the Metamask Chrome extension requires a thorough analysis of 170,000 lines of code, indicative of the skills and determination of BlueNoroff.

Victims can only detect the extension is fake by switching the browser to Developer mode and seeing the extension source pointing to a local directory rather than the online store.

When the target uses a hardware wallet, the actors wait for transactions and hijack the amounts by changing the recipient's address.

Because they have only one chance before the victim realizes the infection, the actors also change the transaction amount to the maximum possible, draining the assets in one move.

Clues for attribution

On the aspect of attribution, Kaspersky researchers report seeing overlaps and similarities between PowerShell scripts and backdoors used in the latest and past campaigns.

Moreover, the C2 address acquisition scheme is similar to the 2016 attacks, using a hardcoded DWORD value to resolve an IP address via XORing.

Finally, the metadata on the Windows shortcut files dropped as part of the second infection chain contain Korean characters.