BlueNoroff, the North Korean subgroup of the Lazarus APT, is notorious for being the culprit of many financial theft incidents against numerous banking institutions globally. Researchers have discovered that the BlueNoroff operators have adopted new tactics for malware distribution in their latest campaign.
According to the latest investigations, the malware delivery used by threat actors could bypass the Mark-of-the-Web (MOTW).
Moreover, the BlueNoroff group has expanded its attack scope by different file types while modifying its infection methods in its new diversified strategy. The researchers have also observed the group using a new Visual Basic Script and a Windows executable.
This strategy is entirely new for the actors since they have only used Word documents and shortcut files in their previous data breach campaigns.
The Bluenoroff group has also included several additional malware strains in their attacks.
Researchers explained that the new strategy of the Bluenoroff group includes a backdoor and the inclusion of additional malware with admin-level privileges.
Subsequently, the attackers run several Windows commands to collect primary system data and uses LOLBins to obfuscate the commands. Furthermore, the group bypasses the MOTW flag by utilising disk image and virtual disk file formats.
A separate group of researchers also discovered that BlueNoroff uses more than 70 domains as part of its campaign. These domain registrations could be spotted as far back as 2021 and are still operating up to these days.
Most of BlueNoroff’s registered fake domains spoof well-known multinational banks, venture capital companies, and financial services holding firms. According to researchers, companies like Angel Bridge, Mizuho Financial Group, Bank of America, Beyond Next Ventures, Sumitomo Mitsui Banking Corporation, ANOBAKA, ABF Capital, Z Venture Capital, Trans-Pacific Technology Fund, and Mitsubishi UFJ Financial Group are one of the few companies being spoofed by the group.
Lastly, the group utilised fake domains such as cloud hosting services for storing malicious payloads or documents.
Experts stated that this North Korean threat group is constantly upgrading its capabilities and making lucrative money by stealing crypto assets worth millions. Financial firms and crypto-related companies are urged to know such cyber threats and employ themselves with competent threat intelligence solutions.
