Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BlueNoroff Hackers Steal Crypto Using Fake MetaMask Extension

BlueNoroff Hackers Steal Crypto Using Fake MetaMask Extension

The North Korean threat actor group known as ‘BlueNoroff’ has been spotted targeting cryptocurrency startups with malicious documents and fake MetaMask browser extensions.

The motive of this group is purely financial, but its sophistication in carrying out objectives has previously led researchers to conclude that this is a sub-group of the North Korean Lazarus gang.

Although BlueNoroff has been active for several years, its structure and operation have been shrouded by mystery.

A report by Kaspersky attempts to shed some light by using intelligence collected during the most recent activity observed, dating back to November 2021.

Also Read: Top 25 Data Protection Statistics That You Must Be Informed


The latest attacks are focused on cryptocurrency startups located in the US, Russia, China, India, the UK, Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.

Victim map on the latest campaign
Victim map on the latest campaign
Source: Kaspersky

The threat actors attempt to infiltrate the communications of these firms and map the interactions between the employees to derive potential social engineering pathways.

In some cases, they do this by compromising the LinkedIn account of an employee and sharing a link to download a macro-laced document right on the platform.

BlueNoroff uses these real discussions to name laced documents accordingly and send them to the target employee at the right time.

Email used in latest BlueNoroff campaigns
Email used in latest BlueNoroff campaigns
Source: Kaspersky

To track their campaign, they include an icon from a third-party tracking service (Sendgrid) to get a notification when the victim opens the sent document.

The company names and logos impersonated by BlueNoroff are shown below:

Logos and firms used for social engineering attacks
Logos and firms used for social engineering attacks
Source: Kaspersky

As Kaspersky points out, these companies may not have been compromised, and Sendgrid may not know (was notified) that North Korean APTs are abusing them.

Also Read: Completed DPIA Example: 7 Simple Helpful Steps To Create

Infection chains

The first infection chain uses documents that feature VBS scripts, which exploit an old remote template injection vulnerability (CVE-2017-0199).

First infection chain
First infection chain
Source: Kaspersky

The second infection chain relies on sending an archive that contains a shortcut file and a password-protected document (Excel, Word, or PDF).

Second infection chain
Second infection chain
Source: Kaspersky

The LNK file that supposedly contains the password to open the document initiates a series of scripts that fetches the next-stage payload.

Eventually, in both cases, a backdoor with the following functionalities is dropped onto the infected machine:

  • Directory/File manipulation
  • Process manipulation
  • Registry manipulation
  • Executing commands
  • Updating configuration
  • Stealing stored data from Chrome, Putty, and WinSCP

Fake MetaMask steal crypto from victims

BlueNoroff steals user credentials that can be used for lateral movement and deeper network infiltration, while they also collect configuration files relevant to cryptocurrency software.

“In some cases where the attackers realized they had found a prominent target, they carefully monitored the user for weeks or months,” reads Kaspersky’s report.

“They collected keystrokes and monitored the user’s daily operations while planning a strategy for financial theft.”

The main trick employed to steal the cryptocurrency assets is to replace the core components of wallet management browser extensions with tampered versions that are dropped on local memory.

Tampered component on the laced Metamask plugin
Tampered component on the laced Metamask plugin
Source: Kaspersky

Kaspersky notes that tampering with the Metamask Chrome extension requires a thorough analysis of 170,000 lines of code, indicative of the skills and determination of BlueNoroff.

Victims can only detect the extension is fake by switching the browser to Developer mode and seeing the extension source pointing to a local directory rather than the online store.

Extension showing a local folder as an installation source
Extension showing a local folder as an installation source
Source: Kaspersky

When the target uses a hardware wallet, the actors wait for transactions and hijack the amounts by changing the recipient’s address.

Because they have only one chance before the victim realizes the infection, the actors also change the transaction amount to the maximum possible, draining the assets in one move.

Clues for attribution

On the aspect of attribution, Kaspersky researchers report seeing overlaps and similarities between PowerShell scripts and backdoors used in the latest and past campaigns.

Code similarities between different backdoors
Code similarities between different backdoors
Source: Kaspersky

Moreover, the C2 address acquisition scheme is similar to the 2016 attacks, using a hardcoded DWORD value to resolve an IP address via XORing.

Finally, the metadata on the Windows shortcut files dropped as part of the second infection chain contain Korean characters.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us