brunolovA sub-cluster of the infamous Lazarus Group has been observed employing new techniques in its playbooks that allow it to bypass Windows. mark of the web (MotW) protection.
This includes the use of optical disc image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of the new infection chain.
“BlueNoroff created a number of fake domains impersonating venture capital firms and banks,” said security researcher Seongsu Park, adding that telemetry from September 2022 flagged the new attack procedure. rice field.
Some fake domains have been found to mimic ABF Capital, Angel Bridge, ANOBAKA, Bank of America, Mitsubishi UFJ Financial Group, most of them in Japan, with a ‘strong interest’ in the region is shown.
MotW bypasses have been reported in the wild before, but this is the first time BlueNoroff has integrated them into an intrusion into the financial sector.
BlueNoroff, also known by names such as APT38, Nickel Gladstone, and Stardust Chollima, is part of the larger Lazarus threat group consisting of Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).
In contrast to espionage, the financial motives of threat actors make them rare nation-state actors in the threat landscape, allowing for a “broader geographical spread” and extending to North America, South America, Europe, Africa, and Asia. It made it possible to infiltrate the organization.
Since then, it has been involved in high-profile cyberattacks targeting SWIFT banking networks in 2015-2016. This includes the audacious Bangladesh bank robbery that led to his $81 million theft in February 2016.
Since at least 2018, BlueNoroff has changed its strategy, moving away from striking banks and focusing solely on cryptocurrency entities to generate illicit revenue.
To that end, earlier this year Kaspersky revealed details of a campaign dubbed SnatchCrypto orchestrated by adversaries to drain digital funds from victims’ cryptocurrency wallets.
Another important activity attributed to this group is AppleJeus. This is where a fake cryptocurrency company unknowingly lures victims into installing seemingly harmless applications and eventually receiving backdoor updates.
The latest activity identified by a Russian cybersecurity firm introduced a slight modification to convey the final payload, replacing the Microsoft Word document attachment with a spear phishing email ISO file to spread the infection. causing it.
These optical image files contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that runs when the target clicks a link within the PowerPoint file.
 |
| Image source: Sequoia |
Another method exploits the Living Off The Land binary (LOLBin) to launch a malware-laden Windows batch file to obtain a second stage downloader used to retrieve and execute the remote payload. .
Also, the .VHD sample discovered by Kaspersky accompanies a decoy job description PDF file that is weaponized to produce an intermediate downloader masquerading as antivirus software to retrieve the next stage payload. but not before removing usermode and disabling the canonical EDR solution hook.
The exact implant that was delivered is unknown, but it is believed to be similar to the persistent backdoor utilized in the SnatchCrypto attack.
An island nation financial company is targeted by BlueNoroff due to the use of a Japanese filename in one of the decoy documents and the creation of a fraudulent domain impersonating a legitimate Japanese venture capital firm suggests that it is likely.
Cyberwarfare has become a major focus of North Korea in response to economic sanctions imposed by many countries and the United Nations over concerns about North Korea’s nuclear program. It has also emerged as a major source of income in resource-poor countries.
In fact, according to South Korea’s National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrencies and other digital assets from targets around the world over the past five years. increase.
“The group has strong economic incentives and has actually been successful in profiting from cyberattacks,” said Park. “This also suggests that attacks by this group are unlikely to decline in the near future.”
Note: This article has been amended to clarify that the use of MotW bypass is the first time BlueNoroff has employed such a malware delivery method.
