BlueNoroff, a subcluster of the infamous Lazarus Group, has been observed incorporating Windows Mark of the Web (MotW) bypass techniques into its playbook.
This includes the use of optical disk image (.ISO) and virtual hard disk (.VHD) file formats as part of a novel infection chain, according to a report published today by Kaspersky.
“BlueNoroff created a large number of phony domains impersonating venture capital firms and banks,” said security researcher Seongseok Park, adding that the new attack method was flagged in September 2022.
Some of the fraudulent domains have been found to imitate Japanese financial institutions such as ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, indicating a “strong interest” in the region.
Although MotW bypasses have been documented in the wild previously, this is the first time that BlueNoroff has incorporated them into its intrusions against the financial sector.
BlueNoroff, also known as APT38, Nickel Gladstone, and Stardust Chollima, is a member of the Lazarus threat group, which also includes Andariel (also known as Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).
The threat actor’s financial motivations as opposed to espionage have made it an unusual nation-state actor in the threat landscape, enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia due to its “wider geographic spread.”
Since then, it has been linked to high-profile cyberattacks on the SWIFT banking network in 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that resulted in the theft of $81 million.
Since at least 2018, BlueNoroff appears to have shifted its focus from attacking banks to solely generating illicit revenue through cryptocurrency entities.
To this end, Kaspersky disclosed details of a campaign dubbed SnatchCrypto earlier this year, which was orchestrated by an adversarial group to steal digital funds from victims’ cryptocurrency wallets.
AppleJeus is a key activity attributed to the group in which fake cryptocurrency companies are created to trick unwitting victims into installing benign-appearing applications that contain backdoored updates.
The most recent malicious activity identified by a Russian cybersecurity firm substitutes Microsoft Word document attachments for ISO files in spear-phishing emails to initiate the infection.
These optical image files contain a Microsoft PowerPoint presentation (.PPSX) and a Visual Basic Script (VBScript) that is executed when the target clicks a hyperlink in the PowerPoint file.
Alternatively, a malware-infected Windows batch file is executed by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that is used to retrieve and execute a remote payload.
Moreover, Kaspersky discovered a VHD sample that includes a decoy job description PDF file armed to spawn an intermediate downloader that masquerades as antivirus software to retrieve the next-stage payload but only after removing user mode hooks to disable authentic EDR solutions.
Although the precise implant delivered is unknown, it is believed to be comparable to the persistence backdoor used in the SnatchCrypto attacks.
Using Japanese file names for one of the lure documents and creating fraudulent domains masquerading as legitimate Japanese venture capital firms indicate that BlueNoroff likely targets financial institutions in the island nation.
North Korea has prioritized cyber warfare in response to economic sanctions imposed by several nations and the United Nations over its nuclear programs. It has also become a significant source of income for the cash-strapped nation.
According to South Korea’s National Intelligence Service (NIS), state-sponsored North Korean hackers stole an estimated $1.2 billion in cryptocurrency and other digital assets from global targets over the past five years.
“This group has a strong financial motive and is able to profit from their cyberattacks,” Park explained. This also indicates that this group’s attacks are unlikely to decline in the near future.
Note: The story has been updated to clarify that BlueNoroff’s use of MotW bypass is the first time it has adopted such a malware distribution method.
