BlueNoroff,
a
subcluster
of
the
notorious
Lazarus
Group,
has
been
observed
adopting
new
techniques
into
its
playbook
that
enable
it
to
bypass
Windows
Mark
of
the
Web
(MotW)
protections.
This
includes
the
use
of
optical
disk
image
(.ISO
extension)
and
virtual
hard
disk
(.VHD
extension)
file
formats
as
part
of
a
novel
infection
chain,
Kaspersky
disclosed
in
a
report
published
today.
“BlueNoroff
created
numerous
fake
domains
impersonating
venture
capital
companies
and
banks,”
security
researcher
Seongsu
Park
said,
adding
the
new
attack
procedure
was
flagged
in
its
telemetry
in
September
2022.
Some
of
the
bogus
domains
have
been
found
to
imitate
ABF
Capital,
Angel
Bridge,
ANOBAKA,
Bank
of
America,
and
Mitsubishi
UFJ
Financial
Group,
most
of
which
are
located
in
Japan,
signalling
a “keen
interest”
in
the
region.
Also
called
by
the
names
APT38,
Nickel
Gladstone,
and
Stardust
Chollima,
BlueNoroff
is
part
of
the
larger
Lazarus
threat
group
that
also
comprises
Andariel
(aka
Nickel
Hyatt
or
Silent
Chollima)
and
Labyrinth
Chollima
(aka
Nickel
Academy).
The
threat
actor’s
financial
motivations
as
opposed
to
espionage
has
made
it
an
unusual
nation-state
actor
in
the
threat
landscape,
allowing
for
a “wider
geographic
spread”
and
enabling
it
to
infiltrate
organizations
across
North
and
South
America,
Europe,
Africa,
and
Asia.
It
has
since
been
associated
with
high-profile
cyber
assaults
aimed
at
the
SWIFT
banking
network
between
2015
and
2016,
including
the
audacious
Bangladesh
Bank
heist
in
February
2016
that
led
to
the
theft
of
$81
million.
Since
at
least
2018,
BlueNoroff
appears
to
have
undergone
a
tactical
shift,
moving
away
from
striking
banks
to
solely
focusing
on
cryptocurrency
entities
to
generate
illicit
revenues.
To
that
end,
Kaspersky
earlier
this
year
disclosed
details
of
a
campaign
dubbed
SnatchCrypto
orchestrated
by
the
adversarial
collective
to
drain
digital
funds
from
victims’
cryptocurrency
wallets.
Another
key
activity
attributed
to
the
group
is
AppleJeus,
in
which
fake
cryptocurrency
companies
are
set
up
to
lure
unwitting
victims
into
installing
benign-looking
applications
that
eventually
receive
backdoored
updates.
The
latest
activity
identified
by
the
Russian
cybersecurity
company
introduces
slight
modifications
to
convey
its
final
payload,
swapping
Microsoft
Word
document
attachments
for
ISO
files
in
spear-phishing
emails
to
trigger
the
infection.
These
optical
image
files,
in
turn,
contain
a
Microsoft
PowerPoint
slide
show
(.PPSX)
and
a
Visual
Basic
Script
(VBScript)
that’s
executed
when
the
target
clicks
a
link
in
the
PowerPoint
file.
In
an
alternate
method,
a
malware-laced
Windows
batch
file
is
launched
by
exploiting
a
living-off-the-land
binary
(LOLBin)
to
retrieve
a
second-stage
downloader
that’s
used
to
fetch
and
execute
a
remote
payload.
Also
uncovered
by
Kaspersky
is
a
.VHD
sample
that
comes
with
a
decoy
job
description
PDF
file
that’s
weaponized
to
spawn
an
intermediate
downloader
that
masquerades
as
antivirus
software
to
fetch
the
next-stage
payload,
but
not
before
disabling
genuine
EDR
solutions
by
removing
remove
user-mode
hooks.
While
the
exact
backdoor
delivered
is
not
clear,
it’s
assessed
to
be
similar
to
a
persistence
backdoor
utilized
in
the
SnatchCrypto
attacks.
The
use
of
Japanese
file
names
for
one
of
the
lure
documents
as
well
as
the
creation
of
fraudulent
domains
disguised
as
legitimate
Japanese
venture
capital
companies
suggests
that
financial
firms
in
the
island
country
are
likely
a
target
of
BlueNoroff.
Cyber
warfare
has
been
a
major
focus
of
North
Korea
in
response
to
economic
sanctions
imposed
by
a
number
of
countries
and
the
United
Nations
over
concerns
about
its
nuclear
programs.
It
has
also
emerged
as
a
major
source
of
income
for
the
cash-strapped
country.
Indeed,
according
to
South
Korea’s
National
Intelligence
Service
(NIS),
state-sponsored
North
Korean
hackers
are
estimated
to
have
stolen
$1.2
billion
in
cryptocurrency
and
other
digital
assets
from
targets
around
the
world
over
the
last
five
years.
“This
group
has
a
strong
financial
motivation
and
actually
succeeds
in
making
profits
from
their
cyberattacks,”
Park
said. “This
also
suggests
that
attacks
by
this
group
are
unlikely
to
decrease
in
the
near
future.”
