Our experts have been studying a malicious campaign targeting companies that work with cryptocurrencies, smart contracts, decentralized finance, and blockchain technology. The attackers are interested in fintech in general, and the campaign, named SnatchCrypto, is related to the BlueNoroff APT group, a known entity already traced to the 2016 attack on Bangladesh’s central bank.
The cybercriminals behind this campaign have two goals: collecting information and stealing cryptocurrency. They are interested primarily in collecting data on user accounts, IP addresses, and session information, and they steal configuration files from programs that work directly with cryptocurrency and may contain credentials and other information about accounts. The attackers carefully study potential victims, sometimes monitoring their activity for months.
One of their methods involves manipulations with popular browser extensions for managing cryptowallets. For example, they can change an extension’s source in the browser settings so it will be installed from local storage (i.e., a modified version) instead of from the official Web store. They also can use the modified Metamask extension for Chrome to replace the transaction logic, enabling them to steal funds even from those who use hardware devices to sign cryptocurrency transfers.
BlueNoroff’s methods of invasion
The attackers carefully study their victims and apply the information they gain to deploy social-engineering attacks. Typically, they craft e-mails meant to look as though they’re from existing venture companies, but with an attached, macro-enabled document. When opened, this document eventually downloads a backdoor. For detailed technical information about the attack and attackers methods, see Securelist’s report, “The BlueNoroff cryptocurrency hunt is still on.”
How to protect your company from SnatchCrypto attacks
One clear sign of SnatchCrypto activity is a modified Metamask extension. To use it, attackers have to put the browser into developer mode and install the Metamask extension from a local directory. You can easily check for that: If the browser mode has been switched without your permission, and the extension is loaded from a local directory, then your device is probably compromised.
In addition, we recommend employing the following standard protective measures:
- Periodically raise employees’ cybersecurity awareness;
- Update critical applications (including OS and office suites) promptly;
- Outfit every computer that has Internet access with a reliable security solution;
- Use an EDR solution (if appropriate to your infrastructure) that enables you to detect complex threats and help with timely responses.