Lazarus Group has New Tricksters

10921669465?profile=RESIZE_400xNorth Korea’s BlueNoroff hackers have updated their strategies and delivery techniques in a new wave of attacks targeting banks and venture capital firms according to cyber threat investigators.  Part of Lazarus, a hacking group linked to the North Korean government, BlueNoroff is financially motivated and has been blamed for numerous cyber-attacks targeting banks, cryptocurrency firms, and other financial institutions.

The campaign by BlueNoroff has been in operation at least since 2017.  It uses advanced phishing and social engineering techniques in order to abuse trust within companies. As such, threat actors study and analyze behaviors and interactions of employees to detect topics of interest.[1]

After collecting the necessary data on the victims, they pretend to send what looks like a relevant and trustworthy email from one colleague to another, sharing a document or asking to review/answer questions about its contents.  By including the logo of a third-party service Sendgrid, which offers user-tracking capabilities, the attacker knows exactly when the victim opens their email.

Alternatively, after hacking into an existing company, threat actors use its pathways such as email and social media to contact other firms and distribute weaponized documents in the form of investment contracts and similar files.  Malicious actors then exploit the CVE-2017-0199 vulnerability in Microsoft Word.

Following several months of silence, the group has resumed its activities this fall with renewed attacks that leverage new malware, and updated delivery techniques that include new file types and a method of bypassing Microsoft’s Mark-of-the-Web (MotW) protections.   Specifically, the hackers are distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, which allows them to avoid the MotW warning that Windows typically displays when a user attempts to open a document downloaded from the internet.  Relying on phishing, BlueNoroff is attempting to infect target organizations to intercept cryptocurrency transfers and drain accounts.

See:  https://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency

As part of the new campaign, the hacking group has registered an estimated seventy (70) fake domains mimicking well-known banks and venture capital firms, with a focus on Japanese firms.  Organizations in UAE, US, and Vietnam are also targeted.  These domains have been used for phishing attacks aimed at startup employees.  The group also ‘adopted new techniques to convey the final payload’, including the use of Visual Basic Script and Windows Batch scripts, and the introduction of a new downloader to fetch the next stage payload.

10921669657?profile=RESIZE_400x

In September 2022, a victim in UAE was targeted with a malicious Office document designed to connect to a remote server and download a payload named ieinstal.exe, which helped bypass the User Access Control (UAC) protections.  After the infection, the threat actor used the backdoor to perform keyboard hands-on activities such as fingerprinting and the installation of additional malware with high privileges.

In another attack, the group was observed using a downloader that checks the system for antivirus programs from Avast, Avira, Bitdefender, Kaspersky, Microsoft, Sophos, and Trend Micro, to disable them.  BlueNoroff was also observed exploiting Living-of-the-Land binaries (LOLBins) and using various scripts to display a decoy document and fetch the next-stage payload, as well as using a new Windows executable-type downloader that creates a fake password file and downloads a payload.

As part of the campaign, the hackers also used fake domains for hosting malicious documents and payloads, and fake domains imitating legitimate financial and investment companies, most of which are Japanese organizations.  Lately, the group also targeted cryptocurrency-related businesses.  This threat actor has introduced slight modifications to deliver their malware.  This also suggests that attacks by this group are unlikely to decrease in the near future.

Organizations are advised to train their employees on phishing, perform a network audit to identify vulnerabilities and weaknesses, and deploy and maintain security solutions that offer endpoint protection and threat detection and response capabilities.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!