Lazarus Division Targets Bitcoin Startups

Cryptocurrency startups worldwide are falling prey to the cybercriminal group BlueNoroff, which siphons off their digital assets, according to experts from Kaspersky Lab.

According to them, BlueNoroff sends emails purportedly from existing venture-capital firms as bait to persuade the victim to open an attachment to the email—a macro-enabled document.

Researchers have found that the attackers misused trademarks and the names of employees from more than 15 venture organisations. Experts say that the real companies have nothing to do with either the attacks or the emails.

“If the device is not connected to the internet, a macro-enabled document does not pose a danger. Otherwise, it will download onto the victim’s device another document that deploys malware,” explained Kaspersky Lab.

In addition to infected Word documents, the attackers spread malware in archive files containing Windows shortcuts. These enable the later creation of a fully functional backdoor. To surveil the victim, BlueNoroff uses keyloggers and screenshot-capture programs.

“Upon identifying a suitable potential victim who uses a popular browser extension to manage crypto wallets—such as MetaMask—the attackers replace it with a fraudulent version,” the researchers noted.

The attackers also receive notices of large transfers and, at the moment of the transaction, intercept them, altering the recipient address and inflating the transfer amount to the maximum.

BlueNoroff is part of the North Korean Lazarus group and uses its diversified structure and advanced technologies to attack users in different countries.

To defend against hackers, Kaspersky Lab experts recommend regular network audits, using up-to-date protections against sophisticated attacks, and training staff in cybersecurity basics.

According to Chainalysis, in 2021 North Korean hackers stole $400 mln in cryptocurrencies.

Read ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.