Researchers from Kaspersky saw an increase in the number of Advanced Persistent Threat (APT) actors focusing on the cryptocurrency sector in the second quarter of 2022. The actor behind this recent and intense effort, known as “NaiveCopy,” targeted South Korean stock and cryptocurrency speculators by using content about cryptocurrencies and alerts from law enforcement as bait.
Further investigation of NaiveCopy’s tactics and techniques revealed another related campaign running the previous year that targeted unknown entities in both Mexico and the United Kingdom. This, as well as other discoveries, are detailed in Kaspersky’s most recent quarterly threat intelligence summary.
“Over the course of several quarters, we have seen APT actors turn their attention to the cryptocurrency industry. Using various techniques, the actors seek not only information, but money as well. This is an unusual, but increasing, tendency for the APT landscape. In order to combat the threats, organizations need to gain visibility across the recent cyberthreat landscape. Threat intelligence is an essential component that enables reliable and timely anticipation of such attacks,” comments David Emm, principal security researcher at Kaspersky’s GReAT.
APT actors are constantly adapting their tactics, honing their toolkits, and developing new techniques. Kaspersky’s Global Research and Analysis (GReAT) team provides quarterly reports on the most important developments across the advanced persistent threat landscape to help users and businesses keep up with these changes and stay informed about potential threats they may face. The three-month APT trends report is based on private threat intelligence research conducted by Kaspersky and includes major developments and cyber-incidents that researchers believe everyone should be aware of.
Kaspersky researchers discovered a new, highly active campaign targeting stock and cryptocurrency investors in the second quarter of 2022. This is unusual given that the majority of APT actors do not seek financial gain. To entice its victims, the actor used cryptocurrency-related content and law enforcement complaints as themes. The infection chains included remote template injection, which spawned a malicious macro that initiated a multi-stage infection procedure via Dropbox. The malware then attempts to retrieve the final stage payload after beaconing the victim’s host information.
Fortunately, Kaspersky experts were able to obtain the final stage payload, which consisted of several modules used to steal sensitive information from the victim. Kaspersky researchers discovered additional samples used a year ago during another campaign against entities in Mexico and the United Kingdom by analyzing this payload.
Kaspersky experts see no specific links to known threat actors, but they believe they are familiar with the Korean language and have used a similar tactic previously used by the Konni group to steal login credentials for a well-known Korean portal. The Konni group has been active since mid-2021, primarily targeting Russian diplomatic entities.