Kaspersky researchers have discovered that the infamous Advanced Persistent Threat (APT) actor BlueNoroff added new sophisticated malware strains to its arsenal. BlueNoroff is known as the threat actor that targets financial entities’ cryptocurrency around the world, specifically aiming at venture capital firms, crypto startups, and banks. Now the BlueNoroff actor is experimenting with new file types to convey their malware more efficiently and have created more than 70 fake domains of venture capital firms and banks to lure the employees of startups into a trap.
BlueNoroff is part of a larger Lazarus group and uses their sophisticated malicious technologies to attack organizations that, by the nature of their work, deal with smart contracts, DeFi, Blockchain, and the FinTech industry. In January 2022, Kaspersky experts already reported about the series of attacks detected on cryptocurrency startups worldwide conducted by BlueNoroff, but afterwards there was a lull. However, based on Kaspersky’s telemetry, this autumn the threat actor returned to attack – and now it is to be even more sophisticated and active than ever before.
Imagine that you are an employee in the sales department of a large financial entity. You receive a letter with doc file – a contract from a client. You think: “we should quickly open this file and also send it to the boss!” But, as you open the file, the malware was immediately downloaded to your corporate device. Now the attackers will track all your daily operations and, while they are planning an attack strategy for theft. The very moment that someone from the infected company tries to transfer a large amount cryptocurrency, the attackers intercept the transaction, change the recipient's address, and push the amount of currency to the limit, essentially draining the account in one move.
Kaspersky experts believe that the attackers are currently actively experimenting and testing new malware delivery methods: for example, using previously unused file types such as a new Visual Basic Script, an unseen Windows Batch file, and a Windows executable to infect the victim.
What’s more, besides using tactics popular among advanced cybercriminals they increased the efficiency of circumventing Windows security measures by inventing their own strategies. Recently, many threat actors have adopted image files to avoid Mark-of-the-Web (MOTW). In a nutshell, the MOTW flag is a security measure whereby Windows issues a warning message (like to open file in “Protected view”) when a user tries to view a file downloaded from the Internet. To avoid this mitigation technique, an increasing number of threat actors have started to exploited ISO file types (digital copies of regular CD disks used for distribution of software or media content) – and the BlueNoroff actor has adopted this technique, too.
This discovered ISO image file used to deliver malware contains one PowerPoint slide show and one Visual Basic Script
The threat actor is increasing the power of its attacks every day. For instance, in October 2022, Kaspersky researchers have observed 70 fake domains mimicking the world-known venture capital firms and banks. Most of the domains imitate Japanese firms, like Beyond Next Ventures, Mizuho Financial Group, and more. This indicates that this group has extensive interest in Japanese financial entities. According to Kaspersky telemetry, the actor also targets UAE organizations and disguises itself as US and Vietnamese companies.
The decoy document contains a description of popular VC
“As per our forecast in recent APT predictions for 2023, the coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. They will resemble the infamous WannaCry in their technological superiority and effect. Our findings in the BlueNoroff experiments prove that cybercriminals are not standing still and are constantly testing and analyzing new and more sophisticated tools of attack. On the threshold of new malicious campaigns, businesses must be more secure than ever: train your employees in the basics of cybersecurity and use a trusted security solution on all corporate devices,” comments Seongsu Park, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).