BlueNoroff APT Hackers Utilizing New Methods to Bypass Home windows MotW Safety

Dec 27, 2022Ravie LakshmananCyber Assault / Home windows Safety

BlueNoroff, a subcluster of the infamous Lazarus Group, has been noticed adopting new strategies into its playbook that allow it to bypass Home windows Mark of the Net (MotW) protections.

This contains using optical disk picture (.ISO extension) and digital arduous disk (.VHD extension) file codecs as a part of a novel an infection chain, Kaspersky disclosed in a report printed as we speak.

“BlueNoroff created quite a few pretend domains impersonating enterprise capital corporations and banks,” safety researcher Seongsu Park said, including the brand new assault process was flagged in its telemetry in September 2022.

A few of the bogus domains have been discovered to mimic ABF Capital, Angel Bridge, ANOBAKA, Financial institution of America, and Mitsubishi UFJ Monetary Group, most of that are positioned in Japan, signalling a “eager curiosity” within the area.

Additionally known as by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is a part of the bigger Lazarus risk group that additionally comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The risk actor’s financial motivations versus espionage has made it an uncommon nation-state actor within the risk panorama, permitting for a “wider geographic unfold” and enabling it to infiltrate organizations throughout North and South America, Europe, Africa, and Asia.


It has since been related to high-profile cyber assaults aimed on the SWIFT banking community between 2015 and 2016, together with the audacious Bangladesh Financial institution heist in February 2016 that led to the theft of $81 million.

Lazarus Group

Since not less than 2018, BlueNoroff seems to have undergone a tactical shift, transferring away from placing banks to solely specializing in cryptocurrency entities to generate illicit revenues.

To that finish, Kaspersky earlier this 12 months disclosed particulars of a marketing campaign dubbed SnatchCrypto orchestrated by the adversarial collective to empty digital funds from victims’ cryptocurrency wallets.

One other key activity attributed to the group is AppleJeus, through which pretend cryptocurrency corporations are set as much as lure unwitting victims into putting in benign-looking functions that ultimately obtain backdoored updates.

The most recent exercise recognized by the Russian cybersecurity firm introduces slight modifications to convey its remaining payload, swapping Microsoft Phrase doc attachments for ISO information in spear-phishing emails to set off the an infection.

These optical picture information, in flip, comprise a Microsoft PowerPoint slide present (.PPSX) and a Visible Fundamental Script (VBScript) that is executed when the goal clicks a hyperlink within the PowerPoint file.

In an alternate technique, a malware-laced Home windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that is used to fetch and execute a distant payload.

Lazarus Group

Additionally uncovered by Kaspersky is a .VHD pattern that comes with a decoy job description PDF file that is weaponized to spawn an intermediate downloader that masquerades as antivirus software program to fetch the next-stage payload, however not earlier than disabling real EDR options by eradicating take away user-mode hooks.

Whereas the precise backdoor delivered shouldn’t be clear, it is assessed to be just like a persistence backdoor utilized within the SnatchCrypto assaults.

The usage of Japanese file names for one of many lure paperwork in addition to the creation of fraudulent domains disguised as reliable Japanese enterprise capital corporations means that monetary corporations within the island nation are doubtless a goal of BlueNoroff.

Cyber warfare has been a serious focus of North Korea in response to economic sanctions imposed by numerous nations and the United Nations over considerations about its nuclear applications. It has additionally emerged as a serious supply of revenue for the cash-strapped nation.

Certainly, in line with South Korea’s Nationwide Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and different digital property from targets world wide during the last 5 years.

“This group has a robust monetary motivation and truly succeeds in making earnings from their cyberattacks,” Park stated. “This additionally means that assaults by this group are unlikely to lower within the close to future.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.