Researchers: ‘CryptoCore’ Group Used Spear-Phishing Emails to Lure Victims
A hacking group dubbed CryptoCore has stolen more than $200 million in virtual currency from several cryptocurrency exchanges over the past two years, the security firm ClearSky Cyber Security reports.
The CryptoCore gang has used spear-phishing emails and social engineering techniques to target employees and executives at cryptocurrency exchanges, mainly in the U.S. and Japan, according to the ClearSky analysis.
Without offering specifics, the analysts note that they have a “medium level of certainty” that CryptoCore most likely operates out of Ukraine, Russia or Romania. The hacker group is also known by the names “Dangerous Password” and “Leery Turtle.”
“This group is not extremely technically advanced, yet it seems to be swift, persistent and effective, nevertheless,” according to the report released Wednesday.
The attackers steal a variety of credentials and data from the devices that their malware infects. That includes username, host name, time zone, operating system version, processor name, network adapter information and a list of running processes. In some cases, the group also uses credential-stealing malware called Mimikatz, according to the report.
In addition to cryptocurrency exchanges, CryptoCore also targets their suppliers, ClearSky discovered.
When carrying out a hacking mission, the gang identifies an employee working at an exchange and attempts to gather personal and corporate email IDs to launch spear-phishing emails, according to the report. These emails are designed to appear as if they originated with high-ranking exchange employees or from an outside firm with a connection to the company.
In one case, the attackers tried to impersonate the CEO of a firm in a phishing email that reportedly contained new instructions for employees, the analysts note.
The CryptoCore hackers are persistent: They attack the same exchange multiple times and reuse phishing lures and payloads, according to the report.
The group’s main objective is to gain access to a victim’s password manager account, where the keys of the crypto-wallets and other valuable assets are stored, the researchers determined. This also helps the CryptoCore hackers move laterally across the network. Once the hackers have access to the so-called “hot wallets,” they begin to remove the cryptocurrency.
The CryptoCore emails contain shortened Bitly links that appear to take users to a Google Drive folder, but instead redirect them to malicious landing pages controlled by the hackers, according to the report.
Clicking on the link results in the download of a compressed file containing two documents. The first is a bait document that is password protected and the second is a Microsoft LNK file shortcut disguised as a text file that appears to carry the password for the first document, the report notes.
When the LNK file is opened, it further downloads a malicious Visual Basic Script through another shortened URL. The use of Bitly helps attackers hide their links and obtain statistics on the number of potential victims who have clicked on the link as well as their geography, according to ClearSky.
Once opened, the LNK file performs a one-time communication with the command-and-control server to download a VBS payload that collects information from the victim’s device, according to the report.
Analysts note that the heavy use of VBS for downloaders and backdoors helps CryptoCore avoid detection. The group also has a fast-changing infrastructure, with new domains and links being registered regularly, the report states.
Other Exchange Attacks
Cryptocurrency exchanges continue to be tempting targets for hackers.
In November 2019, for example, South Korean cryptocurrency exchange Upbit suffered an attack that resulted in the theft of $49 million worth of ethereum (see: Hackers Steal $49 Million in Ethereum From Upbit Exchange).
U.S. and other government officials have accused the North Korea government of using threat groups to hack cryptocurrency exchanges in an effort to raise funds to help cope with economic sanctions. A United Nations report estimated that North Korea stole $571 million in cryptocurrency from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018 (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).