Kaspersky researchers have found that the APT group BlueNoroff has added new advanced malware to their toolset. BlueNoroff is known for targeting financial institutions and cryptocurrency companies worldwide, specifically venture capital firms, crypto startups, and banks. They are now trying new methods of delivering malware by using different file types and creating over 70 fake websites of venture capital firms and banks to trick employees of startups into falling for their attacks.
As a subset of the wider Lazarus gang, BlueNoroff employs highly developed harmful technology to attack businesses that, under their operations, engage with blockchain, smart contracts, DeFi, and the FinTech sector. The sequence of attacks by BlueNoroff that were discovered on cryptocurrency businesses around the world in 2022 was already revealed by Kaspersky experts, but there was quiet after that. According to Kaspersky’s telemetry, the threat actor did return to attack this fall, and this time it will be considerably more advanced and active than before.
Imagine that you are an employee in the sales department of a large financial entity. You receive a letter with a doc file – a contract from a client. You think: “we should quickly open this file and also send it to the boss!” But, as you open the file, the malware was immediately downloaded to your corporate device. Now the attackers will track all your daily operations and, while they are planning an attack strategy for theft. The very moment that someone from the infected company tries to transfer a large amount of cryptocurrency, the attackers intercept the transaction, change the recipient’s address, and push the amount of currency to the limit, essentially draining the account in one move.
The researchers at Kaspersky think that the attackers are currently actively experimenting and testing new malware distribution techniques, such as infecting the victim using previously unutilized file types like a new Visual Basic Script, an unknown Windows Batch file, and a Windows executable.
Advanced cybercriminals have increased the efficiency of bypassing Windows security measures by creating their strategies. They have adopted image files to circumvent Mark-of-the-Web (MOTW). In a summary, the MOTW flag is a security mechanism that prevents users from viewing files downloaded from the Internet by prompting them to open them in “Protected View” or similar warning messages. Threat actors in a bid to avoid this protection measure, have started to exploit ISO file types (digital copies of regular CDs used for the distribution of software or media content) and BlueNoroff has also adopted the same.
The individual or group behind the cyberattacks is continually making them more powerful. For example, in October 2022, experts from Kaspersky discovered 70 counterfeit websites that were designed to look like reputable venture capital companies and banks from around the world, with many of them posing as Japanese firms like Beyond Next Ventures and Mizuho Financial Group. This suggests that this group has a specific interest in Japanese financial institutions. The data from Kaspersky also shows that this actor targets organizations in the United Arab Emirates and pretends to be companies from the United States and Vietnam.
Seongsu Park, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT) said “As per our forecast in recent APT predictions for 2023, the new year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. They will resemble the infamous WannaCry in their technological superiority and effect. Our findings in the BlueNoroff experiments prove that cybercriminals are not standing still and are constantly testing and analyzing new and more sophisticated tools of attack. On the threshold of new malicious campaigns, businesses must be more secure than ever: train your employees in the basics of cybersecurity and use a trusted security solution on all corporate devices.”
For organizations’ protection, Kaspersky suggests the following:
• Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to identify phishing emails
• Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
• Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behaviour-based detection and anomaly control capabilities for effective protection against known and unknown threats.
• Use a dedicated set of cybersecurity solutions for effective endpoint protection, threat detection and response products to detect and remediate even new and evasive threats in a timely fashion. Kaspersky Optimum Framework includes the essential set of endpoint protection empowered with EDR and MDR.