In its latest contribution to the world of cybercrime, the cryptocurrency sector has witnessed an exchange ransomware incident, a malware campaign and a cryptocurrency address-altering attack in the past few days.
The volume of darknet traffic aimed at crypto exchanges and associated websites has been growing rapidly in the past 12 months, Vince Warrington, CEO of protective intelligence firm Dark Intelligence tells Information Security Media Group.
“Some exchanges have been seeing significantly more darknet traffic than any of the mainstream U.K, U.S, or European banks – in some cases, over 786% more traffic per month than the largest U.K bank, and with levels approaching that only seen elsewhere with social media networks,” he says.
A Nov.1 ransomware attack on cryptocurrency exchange BTC-Alpha, which came to light last week, hit user passwords , temporarily disabling customers from accessing their accounts. Its CEO Vitalii Bodnar blamed an undisclosed competitor for the attack, although darknet threat intelligence firm DarkTracer says that the LockBit 2.0 ransomware gang has claimed responsibility.
[ALERT] LockBit ransomware gang has announced “Cryptocurrency Exchange” on the victim list. pic.twitter.com/pA2bh1Vmte
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) November 17, 2021
The cybercriminals tried to steal users’ money, failed, and sent Bodnar threats and insinuations of physical violence according to a PR Leap press release.
Analysts at cryptoasset tracking platform Coinmarketcap discovered that an attack plan had been in the works for nearly six months, but the attackers were unable to find a technical vulnerability in the code, the release says.
The management of BTC-Alpha has contacted Ukrainian law enforcement agencies and is investigating the matter, it adds.
A spokesperson for BTC-Alpha was not immediately available for comment.
Crypto exchanges, according to Warrington, are seen as easy targets as they have less sophisticated – and in some cases almost non-existent – cybersecurity protections, compared to the rest of the finance industry. “By improving their threat intelligence capabilities through understanding the darknet traffic aimed at their businesses, crypto exchanges will be better prepared for cyber events in future,” he says.
Crypto platforms are the victims of their own making, Dirk Schrader, global VP of security research at Netwrix, tells ISMG.
“Attacking a competitor in a largely unregulated environment bears no risk of prosecution. The players in the field are already used to ‘wild west’ manners, given the fact that a sizeable portion of the transactions in those exchanges is related to shady or criminal activity. Becoming a target of a ransomware attack when operating in this space can have a multitude of motives: damaging a competitor is one, sending a message to all in the space can be another,” he says.
Separately, a new malware campaign has been using a crypter, dubbed Babadeda, to target the cryptocurrency and NFT communities on group chat platform Discord, according to researchers.
A crypter can encrypt, obfuscate and manipulate malware to make it harder to detect by security programs.
The threat group, likely linked to Russian actors, uses fake OpenSea, Bored Ape Yacht Club, and ZED RUN marketplace domains to target the crypto and NFT communities on Discord, according to Morphisec researchers.
“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” say Hido Cohen and Arnold Osipov, cybersecurity researchers at Morphisec. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine – or of stopping it from executing.”
The researchers found that the threat actor took advantage of Discord features to phish victims.
“The threat actor sent users a private message [on Discord], inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account,” the researchers note.
“If a user clicks on the URL within the message, it will direct them to a decoy site. There, the user will be encouraged to download a malicious installer that embeds the crypter with the payload,” they add.
The delivery chain was made to look legitimate say the researchers: the domain names and user interface of the decoy sites were similar to the original, and the decoy sites also had a signed certificate, enabling an HTTPS connection. The researchers have identified 82 domains created between July 24, 2021, and November 17, 2021, used in this campaign.
“Upon clicking ‘Download APP,’ the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site),” the researchers note. “Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English.”
Upon downloading and executing, the malicious installer copies its compressed files along with many other open-source or free application-related files into a newly-created folder with a legitimate-looking name in C:UsersAppDataRoaming and C:UsersAppDataLocal.
“At first glance, the files within the directory may seem legitimate. However, looking at these files carefully it becomes apparent that some of them are suspicious and should be inspected,” the researchers note.
Cryptocurrency Address-altering Campaign
In another attack targeting cryptocurrencies, a new campaign by threat actor Aggah has been found deploying clipboard hijacking code to replace a victim’s cryptocurrency address with an address specified by the actor. Researchers at security firm RiskIQ also identified that the code deployed several malicious code files as well.
“These new campaigns are similar to previously reported Aggah campaigns, in that the group used free services Bitly, Blogspot, and usrfiles[.]com to host their malicious resources. So far, we’ve observed this clipboard hijacking technique replaces cryptocurrency addresses for seven different cryptocurrencies,” RiskIQ researchers note.
They observed a malicious VBScript code posted in BlogSpot URLs in early October 2021. An analysis of the code uncovered a series of URLs containing VBScript and PowerShell commands that subsequently conduct clipboard hijacking, they say.
A clipboard hijacking technique replaces victim cryptocurrency addresses with the attacker’s own and installs Trojan backdoor malware files that communicate to dynamic DNS subdomains, the researchers say.
“The new Aggah campaign is another example of how relentless cybercriminals are in their search for profit. Ransomware holds victim organizations business operations hostage, which uniquely impacts retailers and other organizations that provide daily, direct services to their customers. Such attacks directly affect the victim’s revenue generation and thus provide additional leverage to the attackers in extracting the ransom,” says Dmitriy Ayrapetov, security researcher at cybersecurity firm SonicWall.
The researchers suspect that Aggah uses emails to deliver the URLs that kick off the hijacking process. They found an email with the subject line containing “FW URGENT Request for information,” which communicated to a Bitly link.
“The Bitly link forwarded the victim to the BlogSpot URL, which contained the initial VBScript code. This VBScript started a sequence that conducted registry modifications, set up scheduled tasks to perform clipboard hijacking of cryptocurrency addresses, and dropped Trojan and backdoor malware files to the host system,” the researchers note.
The researchers say that the VBScript code deployed to the victim host is a complex web of code that implements basic encoding methods to evade detection and analysis.
“Usually, the first VBScript code block that our researchers see on the BlogSpot URL contains code to kill Microsoft Word and Excel tasks. This code also modifies multiple registry settings to disable the macro warnings and disable the use of Protected View in versions 11, 12, 14, 15, 16 of Word, PowerPoint, and Excel,” the researchers state.
They also observed a second VB Script code block that called out to four other BlogSpot URLs, which host additional code that disables Windows Defender, stores clipboard hijacking code, configures scheduled tasks and deploys malicious files.
Seven different cryptocurrency addresses were observed across all attack scenarios and they were always included together in observed events, the researchers note. The cryptocurrencies include Bitcoin, Ethereum, XMR, XLM, XRP, LTC and Doge.
“Organizations need to protect their outward facing attack surface, but equally importantly, establish internal barriers (segmentation) to prevent lateral exploitation on which attackers rely to establish persistence and larger network access once they establish foothold on a single system,” Ayrapetov notes.