NaiveCopy: Kaspersky discovers highly active APT campaign targeting cryptocurrency industry

In the second quarter of 2022, Kaspersky researchers witnessed Advanced Persistent Threat (APT) actors increasingly targeting the cryptocurrency industry. Using cryptocurrency-related content and warnings from law enforcements as bait, the actor behind this new and highly active campaign, dubbed “NaiveCopy”, attacked stock and cryptocurrency investors in South Korea. Further analysis of NaiveCopy’s tactics and techniques revealed another related campaign active the year before which targeted unknown entities in both Mexico and the UK. This, along with other discoveries, is revealed in Kaspersky’s latest quarterly threat intelligence summary.

APT actors are continuously changing their tactics, sharpening their toolsets and developing new techniques. To help users and businesses keep up with these changes and stay informed about the potential threats they might face, Kaspersky’s Global Research and Analysis (GReAT) team provides quarterly reports about the most important developments across the advanced persistent threat landscape. The three-month APT trends report is created using Kaspersky’s private threat intelligence research and includes major developments and cyber-incidents that researchers believe everyone should be aware of.

In the second quarter of 2022, Kaspersky researchers discovered a new, highly active campaign which had started in March and targeted stock and cryptocurrency investors. This is unusual considering most APT actors do not pursue financial gain. The actor used cryptocurrency-related contents and complaints from law enforcement as themes to lure its victims. The infection chains involved remote template injection, spawning a malicious macro which starts a multi-stage infection procedure using Dropbox. After beaconing the victim’s host information, the malware then attempts to fetch the final stage payload.

Luckily, Kaspersky experts had a chance to acquire the final stage payload, consisting of several modules used for exfiltrating sensitive information from the victim. By analyzing this payload, Kaspersky researchers found additional samples that had been used a year ago during another campaign against entities in Mexico and UK.

Kaspersky experts do not see any precise connections to known threat actors, however they believe that they are familiar with the Korean language and have utilized a similar tactic previously used by the Konni group to steal the login credentials for a renowned Korean portal. The Konni group is a threat actor which has been active since mid-2021, mostly targeting Russian diplomatic entities.

“Over the course of several quarters, we have seen APT actors turn their attention to the cryptocurrency industry. Using various techniques, the actors seek not only information, but money as well. This is an unusual, but increasing, tendency for the APT landscape. In order to combat the threats, organizations need to gain visibility across the recent cyberthreat landscape. Threat intelligence is an essential component that enables reliable and timely anticipation of such attacks,” comments David Emm, principal security researcher at Kaspersky’s GReAT.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats. Request access online.
  • Upskill your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • Use enterprise-grade EDR solution such as Kaspersky EDR Expert. It is essential to detect threats among a sea of scattered alerts thanks to automatic merging of alerts into incidents as well as to analyze and respond to an incident in the most effective way.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with social engineering techniques, such as phishing, introduce security awareness training and teach practical skills to your team – using tools such as the Kaspersky Automated Security Awareness Platform.