At a glance.
- North Korea targets cryptocurrency startups.
- Earth Lusca conducts cyberespionage and financially motivated attacks.
- Cloud services abused to distribute malware.
North Korea targets cryptocurrency startups.
Researchers at Kaspersky have warned that the North Korean threat group BlueNoroff, believed to be operating under the umbrella of Pyongyang's Lazarus Group, has been targeting small- to medium-sized cryptocurrency companies. The attackers are using a combination of targeted social engineering and malware to redirect payments:
"According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups. The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time."
The researchers add, "To gain the victim’s trust, BlueNoroff pretends to be an existing venture capital company. Kaspersky researchers found more than 15 venture businesses whose brand names and employee names were abused during the SnatchCrypto campaign. The researchers believe that the real companies have nothing to do with this attack or the emails. The start-up crypto sphere was chosen by cybercriminals for a reason: startups often receive letters or files from unfamiliar sources. For example, a venture company may send them a contract or other business-related files. The APT actor uses this as bait to make victims open the macro-enabled document."
North Korean threat actors frequently conduct financially motivated cyberattacks to gain money for their heavily sanctioned regime.
Earth Lusca conducts cyberespionage and financially motivated attacks.
Trend Micro is tracking a suspected Chinese threat actor dubbed "Earth Lusca" that's conducting cyberespionage against a wide variety of targets, as well as apparent financially motivated attacks against some companies:
"Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes. The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others. However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies."
Trend Micro provides a technical analysis outlining the details of the threat actor's attacks.
Cloud services abused to distribute malware.
Cisco Talos says threat actors are increasingly using public cloud services to host and distribute malware. The researchers observed a malware campaign distributing the remote access Trojans Nanocore, Netwire, and AsyncRAT in October 2021:
"The threat actor in this case used cloud services to deploy and deliver variants of commodity RATs with the information stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim's environment to execute arbitrary commands remotely and steal the victim's information.
"The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When the initial script is executed on the victim's machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
"To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore, and AsyncRAT remote access trojans."