In the second quarter of 2022, Kaspersky researchers witnessed Advanced Persistent Threat (APT) actors increasingly targeting the cryptocurrency industry. Using cryptocurrency-related content and warnings from law enforcements as bait, the actor behind this new and highly active campaign, dubbed “NaiveCopy”, attacked stock and cryptocurrency investors in South Korea. Further analysis of NaiveCopy’s tactics and techniques revealed another related campaign active the year before which targeted unknown entities in both Mexico and the UK. This, along with other discoveries, is revealed in Kaspersky’s latest quarterly threat intelligence summary.
APT actors are continuously changing their tactics, sharpening their toolsets and developing new techniques. To help users and businesses keep up with these changes and stay informed about the potential threats they might face, Kaspersky’s Global Research and Analysis (GReAT) team provides quarterly reports about the most important developments across the advanced persistent threat landscape. The three-month APT trends report is created using Kaspersky’s private threat intelligence research and includes major developments and cyber-incidents that researchers believe everyone should be aware of.
In the second quarter of 2022, Kaspersky researchers discovered a new, highly active campaign which had started in March and targeted stock and cryptocurrency investors. This is unusual considering most APT actors do not pursue financial gain. The actor used cryptocurrency-related contents and complaints from law enforcement as themes to lure its victims. The infection chains involved remote template injection, spawning a malicious macro which starts a multi-stage infection procedure using Dropbox. After beaconing the victim’s host information, the malware then attempts to fetch the final stage payload.
Luckily, Kaspersky experts had a chance to acquire the final stage payload, consisting of several modules used for exfiltrating sensitive information from the victim. By analyzing this payload, Kaspersky researchers found additional samples that had been used a year ago during another campaign against entities in Mexico and UK.
Kaspersky experts do not see any precise connections to known threat actors, however they believe that they are familiar with the Korean language and have utilized a similar tactic previously used by the Konni group to steal the login credentials for a renowned Korean portal. The Konni group is a threat actor which has been active since mid-2021, mostly targeting Russian diplomatic entities.
“Over the course of several quarters, we have seen APT actors turn their attention to the cryptocurrency industry. Using various techniques, the actors seek not only information, but money as well. This is an unusual, but increasing, tendency for the APT landscape. In order to combat the threats, organizations need to gain visibility across the recent cyberthreat landscape. Threat intelligence is an essential component that enables reliable and timely anticipation of such attacks,” comments David Emm, principal security researcher at Kaspersky’s GReAT.
