Kaspersky researchers reveal worrying development of APT BlueNoroff
Kaspersky researchers have discovered that the advanced persistent threat (APT) actor BlueNoroff recently added sophisticated new malware strains to its arsenal.
BlueNoroff is known as the threat actor that targets financial entities’ cryptocurrency around the world, specifically aiming at venture capital firms, crypto startups, and banks.
Now, the BlueNoroff actor is experimenting with new file types to convey their malware more efficiently and have created more than 70 fake domains of venture capital firms and banks to lure startup employees into a trap.
BlueNoroff is part of the larger Lazarus group and uses its sophisticated malicious technologies to attack organisations that, by the nature of their work, deal with smart contracts, DeFi, Blockchain, and the FinTech industry, the researchers state.
In January 2022, Kaspersky experts reported on a series of attacks detected on cryptocurrency startups worldwide, conducted by BlueNoroff, but afterwards there was a lull. However, based on Kaspersky’s telemetry, more recently the threat actor returned to attack, even more sophisticated and active than ever before.
According to the researchers, the attackers have used phishing techniques to try to infect targeted companies and then intercept large cryptocurrency transfers, changing the recipient's address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.
Kaspersky experts believe that the attackers are currently actively testing new malware delivery methods, for example, using previously unused file types such as a new Visual Basic Script, an unseen Windows Batch file, and a Windows executable to infect the victim. Blunoroff has also deployed new strategies to increase its efficiency in circumventing Windows security measures.
Recently, many threat actors have started using image files to avoid Mark-of-the-Web (MOTW). In a nutshell, the MOTW flag is a security measure whereby Windows issues a warning message, offering to open a file in “Protected view,” when a user tries to open a file downloaded from the internet.
To avoid this mitigation technique, an increasing number of threat actors have started to exploit ISO file types (digital copies of regular CD disks used for distribution of software or media content). BlueNoroff has adopted this technique, Kaspersky researchers have found.
The threat actor is increasing the power of its attacks every day. In October 2022, Kaspersky researchers observed 70 fake domains mimicking well-known venture capital firms and banks. Most of the domains imitate Japanese firms, like Beyond Next Ventures, Mizuho Financial Group, and others.
This indicates that this group has extensive interest in Japanese financial entities. According to Kaspersky telemetry, the actor also targets UEA organisations and disguises itself as US and Vietnamese companies.
Seongsu Park, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), comments, “As per our forecast in recent APT predictions for 2023, the coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. They will resemble the infamous WannaCry in their technological superiority and effect."
Park continues, "Our findings in the BlueNoroff experiments prove that cyber criminals are not standing still and are constantly testing and analysing new and more sophisticated tools of attack. On the threshold of new malicious campaigns, businesses must be more secure than ever: train your employees in the basics of cybersecurity and use a trusted security solution on all corporate devices.”