Lazarus’s subgroup BlueNoroff is popularly known for a wide array of financial theft incidents against banks worldwide. In BlueNoroff’s most recent campaign, the attackers have subtly adopted new methods of malware delivery that can bypass Mark-of-the-Web (MOTW).
What’s new
In the new diversified methods, BlueNoroff has expanded its attack surface by different file types while also tweaking its infection methods.
Unlike previous intrusions with Word documents and shortcut files, it has now been observed using a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable.
After the initial infection, the group implants a backdoor and installs additional malware with high privileges.
It executes several Windows commands to gather basic system information and utilizes Living Off the Land Binaries (LOLBins) to hide the commands.
The group evades the MOTW flag by using optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats.
There is more to it
Kaspersky researchers discovered more than 70 domains used by BlueNoroff. These domain registrations could be traced back to earlier in 2021, and these are still active.
Most of the registered fake domains impersonate popular venture capital firms, multinational banks, and financial services holding companies.
Beyond Next Ventures, Sumitomo Mitsui Banking Corporation, Mitsubishi UFJ Financial Group, ANOBAKA, ABF Capital, Z Venture Capital, Angel Bridge, Mizuho Financial Group, Bank of America, and Trans-Pacific Technology Fund are a few of them.
Additionally, the group used fake domains such as cloud hosting services for hosting malicious documents or payloads.
Geographically, the campaign is focused on Japan followed by Taiwan, UAE, and the U.S.
Wrapping up
BlueNoroff is enhancing its capabilities and, apparently, making profits by stealing cryptocurrency worth millions. Cryptocurrency-related businesses and financial companies are suggested to heed such cyber threats and power themselves with threat intel solutions.