bluenoroffa sub-cluster of the infamous Lazarus Group, has been noticed adopting new methods in its playbook that enable it to bypass Home windows net model (MotW) protections.
This contains the usage of optical disk (.ISO extension) and digital onerous disk (.VHD extension) picture file codecs as a part of a brand new an infection chain, Kaspersky revealed in a report revealed right now.
“BlueNoroff created quite a few faux domains by posing as enterprise capital companies and banks,” stated safety researcher Seongsu Park, including that the brand new assault process was flagged in its telemetry in September 2022.
A number of the faux domains have been discovered to imitate ABF Capital, Angel Bridge, ANOBAKA, Financial institution of America, and Mitsubishi UFJ Monetary Group, most of that are positioned in Japan, indicating “heavy curiosity” within the area.
Additionally referred to as by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is a part of the bigger Lazarus risk group that additionally contains Andariel (also called Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (also called Nickel Academy).
The risk actor’s monetary motivations versus espionage have made it an uncommon nation-state actor within the risk panorama, permitting for “wider geographic dispersion” and permitting it to infiltrate organizations in North and South America. South, Europe, Africa and Asia.
Since then, it has been related to high-profile cyberattacks concentrating on the SWIFT banking community between 2015 and 2016, together with the daring Bangladesh Financial institution heist in February 2016 that led to the theft of $81 million.
Since a minimum of 2018, BlueNoroff seems to have undergone a tactical shift away from putting banks to focus solely on cryptocurrency entities to generate illicit income.
To that finish, Kaspersky earlier this yr revealed particulars of a marketing campaign dubbed SnatchCrypto orchestrated by the adversary collective to empty digital funds from victims’ cryptocurrency wallets.
One other key exercise attributed to the group is AppleJeus, through which faux cryptocurrency firms are established to lure unwitting victims into putting in benign-looking apps that finally obtain backdoor updates.
The most recent exercise recognized by the Russian cybersecurity firm introduces slight modifications to transmit its closing payload, exchanging Microsoft Phrase doc attachments for ISO information in phishing emails to set off an infection.
These optical picture information, in flip, comprise a Microsoft PowerPoint slide present (.PPSX) and a Visible Primary script (VBScript) that’s executed when the goal clicks a hyperlink within the PowerPoint file.
In another technique, a malware-laden Home windows batch file is began by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that’s used to acquire and execute a distant payload.
Kaspersky additionally found a pattern .VHD that comes with a decoy job description PDF file that’s engineered to generate an intermediate downloader that masquerades as antivirus software program to get the subsequent stage payload, however not earlier than disabling real EDR options by eliminating delete user-mode hooks.
Whereas the delivered backdoor is unclear, it’s thought-about to be just like a persistence backdoor utilized in SnatchCrypto assaults.
The usage of Japanese file names for one of many decoy paperwork, in addition to the creation of fraudulent domains disguised as legit Japanese enterprise capital firms, means that monetary companies within the island nation are more likely to be focused by BlueNoroff.
Cyber warfare has been a significant focus of North Korea in response to financial sanctions imposed by a number of international locations and the United Nations over considerations about its nuclear packages. It has additionally change into a significant income for the cash-strapped nation.
In truth, based on South Korea’s Nationwide Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion value of cryptocurrency and different digital property from targets world wide over the previous 5 years. .
“This group is extremely financially motivated and really manages to revenue from their cyberattacks,” Park stated. “This additionally means that assaults by this group are unlikely to abate within the close to future.”
–
BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection
