BlueNoroff

One of the sub-clusters of the notorious Lazarus Group, BlueNoroff, has been observed by the researchers at Kaspersky to be turning to new techniques in order to bypass the protections that are put into place by the Windows MotW in order to accomplish its goals.

Among the files used as part of the new infection chain included are the following file types:-

  • Optical disk image (.ISO extension)
  • Virtual hard disk (.VHD extension)

There are several scripts the actor used, including:- 

  • Visual Basic Script
  • Windows Batch scripts

In an attempt to impersonate venture capital companies and banks, BlueNoroff created a number of fake domains. There were fake domains found that were imitating companies and banks that included the following names:-

EHA
  • ABF Capital
  • Angel Bridge
  • ANOBAKA
  • Bank of America
  • Mitsubishi UFJ Financial Group

In this scenario, Japan is home to the majority of these companies and banks. As a result, it clearly demonstrates a keen interest in the region that the cluster has.

Initial infection that lasts a long time

An incident was observed by Kaspersky that involved a malicious Word document being used to attack an individual in the UAE. On September 2, 2022, the victim got a doc file called “Shamjit Client Details Form.doc” which contained the details of his client.

The following path has been used for the execution of this document:-

  • C:\Users\[username]\Desktop\SALES OPS [redacted]\[redacted]\Signed Forms & Income Docs\Shamjit Client Details Form.doc

Upon reviewing the file path, it is apparent that the victim was a worker in the sales department, whose role was to sign contracts for the company.

Once the malicious document has been launched, it will connect to the remote server, download the payload, and launch the malicious program. Specifically, ieinstal.exe was used to bypass the User Account Control (UAC) in this particular case.

Technical analysis

In order to gather basic information about the system, the operator executed several Windows commands during the infection process.

As soon as the malicious Word document is opened, it reaches the remote server to retrieve the next payload:

  • Download URL: http://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=

In this case, the payload should be saved in the %Profile%\update.dll folder after it has been fetched. The following commands are executed to spawn the fetched file:-

  • Command #1: rundll32.exe %Profile%\update.dll,#1 5pOygIlrsNaAYqx8JNZSTouZNjo+j5XEFHzxqIIqpQ==
  • Command #2: rundll32.exe %Profile%\update.dll,#1 5oGygYVhos+IaqBlNdFaVJSfMiwhh4LCDn4=

The BlueNoroff group also uses other methods to get information, including a ZIP archive that contains the following elements:-

  • A password-protected decoy document
  • A shortcut file named “Password.txt.lnk”

Alternatively, it is possible to launch a batch file that contains malware embedded within it to infect Windows. The payload is fetched and executed remotely using a second-stage downloader obtained using LOLBin.

A number of countries and the UN have imposed economic sanctions on North Korea as a result of concerns over its nuclear program, leading them to impose cyber warfare as a major response. Furthermore, it has become one of the most profitable sources of income for a country that suffers from a chronic cash crisis.

With the help of their cyberattack capabilities, the BlueNoroff group was able to steal cryptocurrency worth millions of dollars.

This evidence indicates that this group is motivated by a strong financial interest and is ultimately successful in making profits from the cyberattacks it perpetrates.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.