BlueNoroff, a subcluster of the infamous Lazarus Group, has been noticed adopting new strategies into its playbook that allow it to bypass Home windows Mark of the Internet (MotW) protections.
This contains the usage of optical disk picture (.ISO extension) and digital laborious disk (.VHD extension) file codecs as a part of a novel an infection chain, Kaspersky disclosed in a report revealed as we speak.
“BlueNoroff created quite a few pretend domains impersonating enterprise capital firms and banks,” safety researcher Seongsu Park said, including the brand new assault process was flagged in its telemetry in September 2022.
Among the bogus domains have been discovered to mimic ABF Capital, Angel Bridge, ANOBAKA, Financial institution of America, and Mitsubishi UFJ Monetary Group, most of that are situated in Japan, signalling a “eager curiosity” within the area.
Additionally known as by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is a part of the bigger Lazarus threat group that additionally comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).
The risk actor’s financial motivations versus espionage has made it an uncommon nation-state actor within the risk panorama, permitting for a “wider geographic unfold” and enabling it to infiltrate organizations throughout North and South America, Europe, Africa, and Asia.
It has since been related to high-profile cyber assaults aimed on the SWIFT banking community between 2015 and 2016, together with the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.
Since not less than 2018, BlueNoroff seems to have undergone a tactical shift, shifting away from hanging banks to solely specializing in cryptocurrency entities to generate illicit revenues.
To that finish, Kaspersky earlier this yr disclosed particulars of a marketing campaign dubbed SnatchCrypto orchestrated by the adversarial collective to empty digital funds from victims’ cryptocurrency wallets.
One other key activity attributed to the group is AppleJeus, by which pretend cryptocurrency firms are set as much as lure unwitting victims into putting in benign-looking purposes that ultimately obtain backdoored updates.
The most recent exercise recognized by the Russian cybersecurity firm introduces slight modifications to convey its closing payload, swapping Microsoft Phrase doc attachments for ISO information in spear-phishing emails to set off the an infection.
These optical picture information, in flip, include a Microsoft PowerPoint slide present (.PPSX) and a Visible Fundamental Script (VBScript) that is executed when the goal clicks a hyperlink within the PowerPoint file.
In an alternate technique, a malware-laced Home windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that is used to fetch and execute a distant payload.
Additionally uncovered by Kaspersky is a .VHD pattern that comes with a decoy job description PDF file that is weaponized to spawn an intermediate downloader that masquerades as antivirus software program to fetch the next-stage payload, however not earlier than disabling real EDR options by eradicating take away user-mode hooks.
Whereas the precise backdoor delivered just isn’t clear, it is assessed to be much like a persistence backdoor utilized within the SnatchCrypto assaults.
Using Japanese file names for one of many lure paperwork in addition to the creation of fraudulent domains disguised as legit Japanese enterprise capital firms means that monetary corporations within the island nation are doubtless a goal of BlueNoroff.
Cyber warfare has been a serious focus of North Korea in response to economic sanctions imposed by a lot of international locations and the United Nations over considerations about its nuclear packages. It has additionally emerged as a serious supply of revenue for the cash-strapped nation.
Certainly, in line with South Korea’s Nationwide Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and different digital property from targets around the globe over the past 5 years.
“This group has a robust monetary motivation and truly succeeds in making income from their cyberattacks,” Park mentioned. “This additionally means that assaults by this group are unlikely to lower within the close to future.”