SnatchCrypto attack hits DeFi and Blockchain Platforms with backdoor

SnatchCrypto attack hits DeFi and Blockchain Platforms with backdoor

Kaspersky researchers believe that North Korean government-backed hackers from the Lazarus Group are behind the SnatchCrypto attack.

The IT security researchers at Kaspersky have revealed details of a new campaign that the company has been tracking under the name SnatchCrypto.

According to Kaspersky’s research, this campaign entails emptying cryptocurrency wallets of those organizations that are part of crypto and financial spaces. 

Countries targeted in SnatchCrypto attack

Research reveals that the campaign has been active since 2017 and its main targets are FinTech sector firms in the following countries:

  1. India
  2. China
  3. Poland
  4. Russia
  5. Ukraine
  6. Vietnam
  7. Slovenia
  8. Singapore
  9. Hong Kong
  10. United States
  11. Czech Republic
  12. United Arab Emirates

How the attack takes place

In a blog post, Kaspersky researchers explained how the attack works and how unsuspected users are tricked into giving away their funds.

“When the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details.”

“The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address but also push the amount of currency to the limit, essentially draining the account in one move.”

BlueNoroff Responsible for the Campaign

Kaspersky researchers claim that the SnatchCrypto campaign is the work of an advanced persistent threat group known as BlueNoroff, which is suspected of having links with the North Korean hacking group Lazarus APT

Lazarus is tied to cyberattacks against the financial and banking sector and specializes in SWIFT-based intrusions in Bangladesh, Vietnam, and Taiwan. The group was branded as one of the leading threats to FinTech firms along with FIN7 and Cobalt Strike.

“The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure,” Kaspersky researchers noted.

Reportedly, the group conducted a series of attacks against small and medium-sized firms that dealt in cryptocurrency, the blockchain, virtual assets, decentralized finance or DeFi, smart contracts, and FinTech.

This group builds and abuses trust to compromise company networks. It spends a lot of time getting to know its victims before launching the attack and has been studying cryptocurrency startups since November 2021. It also impersonates legit firms in phishing emails, including Emurgo, Coinsquad, Youbi Capital, and Sinovation Ventures.

“BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion,” Kaspersky report read.


A remote code execution flaw tracked as CVE-2017-0199 is used to trigger a remote script linked to malicious files. The exploit fetches a payload from a URL embedded in those files. It also pulls a remote template. 

With these combined, a VBA macro and base64-encoded binary objects become available and are used to spawn a process for privilege escalation before executing the primary payload on a target system.

“Interestingly, BlueNoroff shows improved opsec at this stage. The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis,” researchers explained.

It is worth noting that CVE-2017-0199 is being exploited since 2017. In August 2017, Palo Alto Networks Unit 42 discovered a phishing scam called FreeMilk that was hijacking active email conversations to deploy malware with the help of the same vulnerability.

In October 2017, Trend Micro found CVE-2017-0199 was exploited to use Windows Object Linking, and Embedding (OLE) flaw to spread malicious PowerPoint files by evading antivirus detection.

As for the ongoing attack, researchers observed additional infection chains, including zipped Windows shortcut files or malicious Word documents to fetch secondary-stage payloads. A PowerShell agent then deploys a backdoor.

Furthermore, the malware remotely connects to its operator’s C2 server, manipulates the registry and processes, executes commands, and steals data stored in the Chrome browser, WinSCP, and Putty. 

At this stage, attackers can also launch another backdoor, screenshot taker, and keylogger. The final payload used by BlueNoroff is a custom backdoor that collects system data and cryptocurrency software-related configuration and interjects between transactions carried out through hardware wallets.

More crypto and malware news on

The Pirate Bay malware can empty your Cryptocurrency wallet

Malware hits Hive OS cryptomining users; steals funds from wallets

Fake wallet update steals 1400 Bitcoin ($16 million) from Electrum user

Fake KPSPico Windows activator tool KPSPico steals crypto wallet data

Owner forgets the password to digital wallet with $240m of Bitcoin inside


Related Posts