The DPRK's BlueNoroff group is back, and innovating new ways of malware delivery.
Recent DPRK cyber operations: spying and theft.
Researchers at Kaspersky warn that North Korea’s BlueNoroff group is using several new methods to deliver malware.
New malware delivery techniques.
BlueNoroff began using .iso and .vhd files to deliver their malware, which allows them to bypass Mark-of-the-Web flags:
“The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.”
The threat actor also seems to be testing out other file formats for malware delivery:
“We observed a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable. It seems the actors behind BlueNoroff are expanding or experimenting with new file types to convey their malware efficiently.”
Venture capital firms impersonated.
The threat actor set up multiple domains that impersonated venture capital firms, most of which were located in Japan. The impersonated firms included Beyond Next Ventures, ANOBAKA, Z Venture Capital, ABF Capital, and Angel Bridge. BlueNoroff also impersonated Bank of America.