The hackers have been mostly attacking Crypto exchanges in the U.S & Japan, according to a new report

Cryptocurrency businesses have seen an increasing threat from nefarious players over the years in a variety of ways — malware, ransomware and direct thefts. Last month, I wrote about a group called Blue Mockingbird which has been actively involved in malware attacks of corporate servers since December 2019.

A new report by cybersecurity firm ClearSky now reveals another hacking group called CryptoCore, aka Dangerous Password” or “Leery Turtle”, which targets employees and executives of cryptocurrency exchanges, by conducting spear-phishing campaigns against them.

According to the new report, CryptoCore has been actively pursuing its nefarious activities since 2018 — mostly targeting companies in the United States and Japan, while taking off with a bounty worth $200 million so far. This is significantly higher than the original amount of $70 million they were estimated to have accumulated from these attacks.

“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel. ” ~ ClearSky Report

 

The report outlines the following as the main characteristics of this hackers group:

• Persistence and adherence to the same general TTPs and targets
• Use of Cloud services, particularly Google Drive
• Use of malicious cryptocurrency-themed domains
• Use of bit.ly URL shortening service
• Use of LNK shortcuts as downloaders
• Use of Visual Basic Script (VBS) files
• Swiftness and responsiveness

The Attack kill chain shown above highlights the modus operandi of CryptoCore. They customize their spear-phishing attacks according to the target organization — using domains impersonating affiliated organizations, emails that impersonate executives or affiliated companies, and malicious ‘.LNK’ and documents spread via emails.

To give a sense of credibility, the files sent through e-mail are password protected. The password is located in the Password.txt.lnk file, which once opened executes VBS scripts to infect the host machines. These VBS scripts are used as a backdoor into the victim’s computer as shown here.

They will then utilize this backdoor vulnerability to steal keys to crypto-wallets that are commonly stored in password managers. ClearSky also believes the group is using mimikatz on breached computers to collect Windows credentials as well. For those of who you who don’t know, mimikatz is an open-source application that allows users to view and save authentication credentials.

Once they penetrate the network, the malicious code can move through it, to search for and steal the keys for other cryptocurrency wallets.

Originally Published on Medium

Medium 📭| Twitter 📜 | LinkedIn 📑| StockTwits 📉 | Telegram 🔗