25 C
Mumbai
Thursday, September 24, 2020
Tel: 8850717892

CryptoCore Group Stole $200M From Cryptocurrency Exchanges

The group uses spear-phishing to compromise systems.

Home Security Awareness CryptoCore Group Stole $200M From Cryptocurrency Exchanges
- Advertisement -

Must Read

Revisiting the Glorious Legacy of Ar. Kamu Iyer

Kamu Iyer; you might have heard this name in a lot of references related to the study of Architecture...

Wes Anderson – Informed Cinema Seat for life Post-coronavirus by Layer Designs

Layer designs have designed a cinema seat for social distancing while watching a movie in cinema halls. The chair...

Assassins Creed Valhalla

INTRODUCTION:- ASSASSINS CREED VALHALLA  is an upcoming open-world Action - role-playing and adventurous video game played in Third person perspective...
Ayush Dubey
Ayush Dubeyhttps://ayush7ad6.wordpress.com/
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.
Along with the introduction of cryptocurrency and blockchain technology, cryptojacking also came into existence. Though experts review blockchain regularly, there are nefarious cyber crooks who hijack systems to mine cryptocurrency. Recently, a notorious cyber group dubbed as CryptoCore has stolen $200 million by targeting cryptocurrency exchanges, in the US and Japan.
Cryptocurrency businesses have seen numerous threats through various vogue techniques- malware, spear-phishing, ransomware and direct thefts. Cryptojacking is rampant since the inception of virtual currency (BitCoin). Hackers mine cryptocurrency through luring links or by infecting advertisements by using JavaScript code. These practices then run crypto-mining code in the victim’s system. What makes cryptojacking more rampant is that it asks for no advanced techniques. This is significantly evident in CryptoCore’s tactics.

About CryptoCore

Also popular as Dangerous Password or Leery TurtleCryptoCore is a vogue cyber group which targets cryptocurrency businesses and executives of virtual currency exchanges, by using spear-phishing and social engineering. Its campaigns are not bound to any particular region and target businesses worldwide. According to analysts, the group is systematically operated, persistent and funded. It is believed to be operated from east Europe.
CryptoCore employs extensive reconnaissance before executing its attack. To specify vulnerable entry points, they send decoy e-mails with non-malicious attachments and monitor which of their targets tend to open and download them. They select and profile their targets at an advanced level to the details of their private life.
Attacks imitate commonly used file storage services like Google Drive, Microsoft OneDrive etc. This mimicking behaviour also observed in their choice of domains. They also use e-mail spoofing techniques to make the emails appear as coming from a coworker.

CryptoCore operations timeline
CryptoCore operations timeline

The group is pursuing malicious activities since 2018 primarily targeting enterprises in the US and Japan. Since its inception, the group is believed to make a bounty of $200 million through cryptocurrency exchanges. This amount is much greater than the estimated $70 million that CryptoCore has accumulated.
Although the group is not using advanced techniques for executing their attacks, they are rampant and efficient.
“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel. ” ~ ClearSky Report

CryptoCore’s Modius Operandi

The group hijacks cryptocurrency wallets of a victim system through specific technical characteristics.

Attack Kill Chain
Attack Kill Chain

The important method which makes the attack effective is reconnaissance. When attacking an organisation, CryptoCore hackers begin identifying employees. After that, they gather personal information of the employees along with the corporate email IDs to deploy spear-phishing emails. These malicious emails are designed to impersonate services or companies the targeted organisation is in contact with. This gathered information enables attackers to target firms multiple times.
The launched spear-phishing emails contain Bitly link which appears to direct the users to Google Drive. Instead, the link redirects them to multiple malicious landing pages controlled by the hackers. Once the victim clicks on the link, two files are downloaded.
To dupe with credibility, the first file sent is password protected. And the second file is a text-file seeming decoy document (Password.txt.lnk– Microsoft LNK File) which carries the password for the first file.

How the infection chain works

Once opened, the LNK file further downloads malicious Visual Basic Scripts (VBS) which the help of command-and-control(C2) server communication. The crooked scripts are used to create backdoors in the host systems to exploit vulnerabilities.
The backdoors are utilised to steal crypto-wallets stored in password managers, enabling CryptoCore attackers to mine currencies.
ClearSky report states that CryptoCore uses Mimikatz to gather Windows credentials from compromised computers. This includes username, hostname, time zone, operating system version, processor name, network adapter information and a list of running processes. This tactic enables CryptoCore to persist and move laterally in an organisation without detection.

Mitigation and Prevention

  • Cryptomining scripts are usually injected through ads and luring pop-ups. So adding a web-extension or ad-on like No Coin and MinerBlock, which are designed to detect and block crypto-mining scripts can counter such attacks.
  • Experts say that a way to prevent these types of attacks is to run executables and raise awareness amongst employees, about how a system can be compromised with phishing.
  • CryptoCore uses extensive exploration before executing its attacks. It is always good to double-check the email details, like hover the cursor over the link to verify that the URL matches with the anchor’s text and email’s stated destination.
  • Another popular method for threat detection is to leverage SIEM signatures and perform endpoint scans for malicious payloads.
Our systems are provided with password managers for our ease. But the attackers’ sole purpose is to reach out for the credentials stored in them. So it is better to store your passwords of crypto-wallets, either as hard-copy or in an encrypted file outside the system, which only you have access to.
- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Valentino Gareri’s New Model of Education

Valentino Gareri's new model of education combines all age groups into a close-knit campus while offering a spatial experience...
- Advertisement -

Sea of Thieves

INTRODUCTION:- SEA OF THIEVES is a 2018 Action-adventure online video game played in Multiplayer game mode in First Person and Third-person perspective view. This game...

Revisiting the Glorious Legacy of Ar. Kamu Iyer

Kamu Iyer; you might have heard this name in a lot of references related to the study of Architecture and heritage of Mumbai. The...

NBA 2K21

INTRODUCTION:- NBA 2K21 is a basketball simulation video game played in single-player and multiplayer game mode. This game is Developed by Usual Concerts and Published...

Assassins Creed Valhalla

INTRODUCTION:- ASSASSINS CREED VALHALLA  is an upcoming open-world Action - role-playing and adventurous video game played in Third person perspective view in single-player game mode....

More Articles Like This

- Advertisement -