BlueNoroff, an APT actor, adopts new malware techniques under guise of VC funds as it renews attacks

Kaspersky researchers recently discovered that the infamous Advanced Persistent Threat (APT) actor BlueNoroff added new sophisticated malware strains to its arsenal. BlueNoroff is known as the threat actor that targets financial entities’ cryptocurrency around the world, specifically aiming at venture capital firms, crypto startups, and banks. Now the BlueNoroff actor is experimenting with new file types to convey their malware more efficiently and has created more than 70 fake domains of venture capital firms and banks to lure the employees of startups into a trap. 

BlueNoroff is part of a larger Lazarus group and uses their sophisticated malicious technologies to attack organisations that, by the nature of their work, deal with smart contracts, DeFi, Blockchain, and the FinTech industry. In 2022, Kaspersky experts already reported about the series of attacks detected on cryptocurrency startups worldwide conducted by BlueNoroff, but afterwards there was a lull. However, based on Kaspersky’s telemetry, in the European Autumn of 2022 the threat actor returned to attack – and now it is to be even more sophisticated and active than ever before.

Imagine that you are an employee in the sales department of a large financial entity. You receive a letter with doc file – a contract from a client. You think: “we should quickly open this file and also send it to the boss!” But, as you open the file, the malware was immediately downloaded to your corporate device. Now the attackers will track all your daily operations and, while they are planning an attack strategy for theft. The very moment that someone from the infected company tries to transfer a large amount of cryptocurrency, the attackers intercept the transaction, change the recipient’s address, and push the amount of currency to the limit, essentially draining the account in one move.

Kaspersky experts believe that the attackers are currently actively experimenting and testing new malware delivery methods: for example, using previously unused file types such as a new Visual Basic Script, an unseen Windows Batch file, and a Windows executable to infect the victim.

What’s more, besides using tactics popular among advanced cybercriminals they increased the efficiency of circumventing Windows security measures by inventing their own strategies. Recently, many threat actors have adopted image files to avoid Mark-of-the-Web (MOTW). In a nutshell, the MOTW flag is a security measure whereby Windows issues a warning message (like to open file in “Protected view”) when a user tries to view a file downloaded from the Internet. To avoid this mitigation technique, an increasing number of threat actors have started to exploit ISO file types (digital copies of regular CD disks used for distribution of software or media content) – and the BlueNoroff actor has adopted this technique, too.

This discovered ISO image file used to deliver malware contains one PowerPoint slide show and one Visual Basic Script.

The threat actor is increasing the power of its attacks every day. For instance, in October 2022, Kaspersky researchers have observed 70 fake domains mimicking the world-known venture capital firms and banks. Most of the domains imitate Japanese firms, like Beyond Next Ventures, Mizuho Financial Group, and more. This indicates that this group has extensive interest in Japanese financial entities. According to Kaspersky telemetry, the actor also targets UAE organisations and disguises itself as US and Vietnamese companies.

The decoy document contains a description of popular VC.

“As per our forecast in recent APT predictions for 2023, the new year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. They will resemble the infamous WannaCry in their technological superiority and effect. Our findings in the BlueNoroff experiments prove that cybercriminals are not standing still and are constantly testing and analysing new and more sophisticated tools of attack. On the threshold of new malicious campaigns, businesses must be more secure than ever: train your employees in the basics of cybersecurity and use a trusted security solution on all corporate devices,” comments Seongsu Park, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

For organisations’ protection, Kaspersky suggests the following:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to identify phishing emails.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behaviour-based detection and anomaly control capabilities for effective protection against known and unknown threats.
  • Use a dedicated set of cybersecurity solutions for effective endpoint protection, threat detection and response products to detect and remediate even new and evasive threats in a timely fashion. Kaspersky Optimum Framework includes the essential set of endpoint protection empowered with EDR and MDR.


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.