Best Top Reviews Online

BlueNoroff APT Hackers Employing New Methods to Evade Windows MotW Security

BlueNoroff, a subcluster of the infamous Lazarus Group, has been observed incorporating Windows Mark of the Web (MotW) bypass techniques into its playbook.

This includes the use of optical disk image (.ISO) and virtual hard disk (.VHD) file formats as part of a novel infection chain, according to a report published today by Kaspersky.

“BlueNoroff created a large number of phony domains impersonating venture capital firms and banks,” said security researcher Seongseok Park, adding that the new attack method was flagged in September 2022.

Some of the fraudulent domains have been found to imitate Japanese financial institutions such as ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, indicating a “strong interest” in the region.

Although MotW bypasses have been documented in the wild previously, this is the first time that BlueNoroff has incorporated them into its intrusions against the financial sector.

BlueNoroff, also known as APT38, Nickel Gladstone, and Stardust Chollima, is a member of the Lazarus threat group, which also includes Andariel (also known as Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor’s financial motivations as opposed to espionage have made it an unusual nation-state actor in the threat landscape, enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia due to its “wider geographic spread.”

Since then, it has been linked to high-profile cyberattacks on the SWIFT banking network in 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that resulted in the theft of $81 million.

Since at least 2018, BlueNoroff appears to have shifted its focus from attacking banks to solely generating illicit revenue through cryptocurrency entities.

To this end, Kaspersky disclosed details of a campaign dubbed SnatchCrypto earlier this year, which was orchestrated by an adversarial group to steal digital funds from victims’ cryptocurrency wallets.

AppleJeus is a key activity attributed to the group in which fake cryptocurrency companies are created to trick unwitting victims into installing benign-appearing applications that contain backdoored updates.

The most recent malicious activity identified by a Russian cybersecurity firm substitutes Microsoft Word document attachments for ISO files in spear-phishing emails to initiate the infection.

These optical image files contain a Microsoft PowerPoint presentation (.PPSX) and a Visual Basic Script (VBScript) that is executed when the target clicks a hyperlink in the PowerPoint file.

Alternatively, a malware-infected Windows batch file is executed by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that is used to retrieve and execute a remote payload.

Moreover, Kaspersky discovered a VHD sample that includes a decoy job description PDF file armed to spawn an intermediate downloader that masquerades as antivirus software to retrieve the next-stage payload but only after removing user mode hooks to disable authentic EDR solutions.

Although the precise implant delivered is unknown, it is believed to be comparable to the persistence backdoor used in the SnatchCrypto attacks.

Using Japanese file names for one of the lure documents and creating fraudulent domains masquerading as legitimate Japanese venture capital firms indicate that BlueNoroff likely targets financial institutions in the island nation.

North Korea has prioritized cyber warfare in response to economic sanctions imposed by several nations and the United Nations over its nuclear programs. It has also become a significant source of income for the cash-strapped nation.

According to South Korea’s National Intelligence Service (NIS), state-sponsored North Korean hackers stole an estimated $1.2 billion in cryptocurrency and other digital assets from global targets over the past five years.

“This group has a strong financial motive and is able to profit from their cyberattacks,” Park explained. This also indicates that this group’s attacks are unlikely to decline in the near future.

Note: The story has been updated to clarify that BlueNoroff’s use of MotW bypass is the first time it has adopted such a malware distribution method.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Security is a $10 Billion Business for Microsoft

January 28, 2021

NEWS ANALYSIS: Microsoft generated a staggering $10 billion in security-related revenues in the past year and is now a leader in enterprise cybersecurity. Microsoft’s decades-long transformation from an embarrassment to a legitimate cybersecurity powerhouse is yielding significant financial returns: over…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of