BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.
This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.
“BlueNoroff created numerous fake domains impersonating venture capital companies and banks,” security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.
Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a “keen interest” in the region.
It’s worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by BlueNoroff in its intrusions against the financial sector.
Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).