Woburn, MA – July 28, 2022 — In the second quarter of 2022, Kaspersky researchers witnessed Advanced Persistent Threat (APT) actors increasingly targeting the cryptocurrency industry. Using cryptocurrency-related content and warnings from law enforcements as bait, the actor behind this new and highly active campaign, dubbed “NaiveCopy,” attacked stock and cryptocurrency investors in South Korea. Further analysis of NaiveCopy’s tactics and techniques revealed another related campaign active the year before which targeted unknown entities in both Mexico and the UK.
In the second quarter of 2022, Kaspersky researchers discovered a new, highly active campaign which had started in March and targeted stock and cryptocurrency investors. This is unusual considering most APT actors do not pursue financial gain. The actor used cryptocurrency-related contents and complaints from law enforcement as themes to lure its victims. The infection chains involved remote template injection, spawning a malicious macro which starts a multi-stage infection procedure using Dropbox. After beaconing the victim’s host information, the malware then attempts to fetch the final stage payload.
Kaspersky experts were able to acquire the final stage payload, consisting of several modules used for exfiltrating sensitive information from the victim. By analyzing this payload, Kaspersky researchers found additional samples that had been used a year ago during another campaign against entities in Mexico and UK.
Kaspersky experts do not see any precise connections to known threat actors, however they believe that they are familiar with the Korean language and have utilized a similar tactic previously used by the Konni group to steal the login credentials for a renowned Korean portal. The Konni group is a threat actor which has been active since mid-2021, mostly targeting Russian diplomatic entities.
“Over the course of several quarters, we have seen APT actors turn their attention to the cryptocurrency industry,” said David Emm, principal security researcher at Kaspersky’s GReAT. “Using various techniques, the actors seek not only information, but money as well. This is an unusual, but increasing, tendency for the APT landscape. In order to combat the threats, organizations need to gain visibility across the recent cyberthreat landscape. Threat intelligence is an essential component that enables reliable and timely anticipation of such attacks.”
To read the full APT Q2 2022 trends report, please visit Securelist.com.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats. Request access online.
- Upskill your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- Use enterprise-grade EDR solution such as Kaspersky EDR Expert. It is essential to detect threats among a sea of scattered alerts thanks to automatic merging of alerts into incidents as well as to analyze and respond to an incident in the most effective way.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with social engineering techniques, such as phishing, introduce security awareness training and teach practical skills to your team – using tools such as the Kaspersky Automated Security Awareness Platform.