CryptoCore Group Stole $200M From Cryptocurrency Exchanges

The group uses spear-phishing to compromise systems.

Along with the introduction of cryptocurrency and blockchain technology, cryptojacking also came into existence. Though experts review blockchain regularly, there are nefarious cyber crooks who hijack systems to mine cryptocurrency. Recently, a notorious cyber group dubbed as CryptoCore has stolen $200 million by targeting cryptocurrency exchanges, in the US and Japan.
Cryptocurrency businesses have seen numerous threats through various vogue techniques- malware, spear-phishing, ransomware and direct thefts. Cryptojacking is rampant since the inception of virtual currency (BitCoin). Hackers mine cryptocurrency through luring links or by infecting advertisements by using JavaScript code. These practices then run crypto-mining code in the victim’s system. What makes cryptojacking more rampant is that it asks for no advanced techniques. This is significantly evident in CryptoCore’s tactics.

About CryptoCore

Also popular as Dangerous Password or Leery TurtleCryptoCore is a vogue cyber group which targets cryptocurrency businesses and executives of virtual currency exchanges, by using spear-phishing and social engineering. Its campaigns are not bound to any particular region and target businesses worldwide. According to analysts, the group is systematically operated, persistent and funded. It is believed to be operated from east Europe.
CryptoCore employs extensive reconnaissance before executing its attack. To specify vulnerable entry points, they send decoy e-mails with non-malicious attachments and monitor which of their targets tend to open and download them. They select and profile their targets at an advanced level to the details of their private life.
Attacks imitate commonly used file storage services like Google Drive, Microsoft OneDrive etc. This mimicking behaviour also observed in their choice of domains. They also use e-mail spoofing techniques to make the emails appear as coming from a coworker.
CryptoCore operations timeline
CryptoCore operations timeline
The group is pursuing malicious activities since 2018 primarily targeting enterprises in the US and Japan. Since its inception, the group is believed to make a bounty of $200 million through cryptocurrency exchanges. This amount is much greater than the estimated $70 million that CryptoCore has accumulated.
Although the group is not using advanced techniques for executing their attacks, they are rampant and efficient.
“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel. ” ~ ClearSky Report

CryptoCore’s Modius Operandi

The group hijacks cryptocurrency wallets of a victim system through specific technical characteristics.
Attack Kill Chain
Attack Kill Chain
The important method which makes the attack effective is reconnaissance. When attacking an organisation, CryptoCore hackers begin identifying employees. After that, they gather personal information of the employees along with the corporate email IDs to deploy spear-phishing emails. These malicious emails are designed to impersonate services or companies the targeted organisation is in contact with. This gathered information enables attackers to target firms multiple times.
The launched spear-phishing emails contain Bitly link which appears to direct the users to Google Drive. Instead, the link redirects them to multiple malicious landing pages controlled by the hackers. Once the victim clicks on the link, two files are downloaded.
To dupe with credibility, the first file sent is password protected. And the second file is a text-file seeming decoy document (Password.txt.lnk– Microsoft LNK File) which carries the password for the first file.

How the infection chain works

Once opened, the LNK file further downloads malicious Visual Basic Scripts (VBS) which the help of command-and-control(C2) server communication. The crooked scripts are used to create backdoors in the host systems to exploit vulnerabilities.
The backdoors are utilised to steal crypto-wallets stored in password managers, enabling CryptoCore attackers to mine currencies.
ClearSky report states that CryptoCore uses Mimikatz to gather Windows credentials from compromised computers. This includes username, hostname, time zone, operating system version, processor name, network adapter information and a list of running processes. This tactic enables CryptoCore to persist and move laterally in an organisation without detection.

Mitigation and Prevention

  • Cryptomining scripts are usually injected through ads and luring pop-ups. So adding a web-extension or ad-on like No Coin and MinerBlock, which are designed to detect and block crypto-mining scripts can counter such attacks.
  • Experts say that a way to prevent these types of attacks is to run executables and raise awareness amongst employees, about how a system can be compromised with phishing.
  • CryptoCore uses extensive exploration before executing its attacks. It is always good to double-check the email details, like hover the cursor over the link to verify that the URL matches with the anchor’s text and email’s stated destination.
  • Another popular method for threat detection is to leverage SIEM signatures and perform endpoint scans for malicious payloads.
Our systems are provided with password managers for our ease. But the attackers’ sole purpose is to reach out for the credentials stored in them. So it is better to store your passwords of crypto-wallets, either as hard-copy or in an encrypted file outside the system, which only you have access to.

- Advertisement -

Ayush Dubey
Ayush Dubey
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.

- Advertisement -

Latest articles

Related articles