Security News > 2022 > December > BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection
BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web protections.
"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.
It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by BlueNoroff in its intrusions against the financial sector.
Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.
In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary to retrieve a second-stage downloader that's used to fetch and execute a remote payload. Also uncovered by Kaspersky is a.VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing user-mode hooks.
The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.
News URL
https://thehackernews.com/2022/12/bluenoroff-apt-hackers-using-new-ways.html
Related news
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity (source)
- New Windows Driver Signature bypass allows kernel rootkit installs (source)
- North Korean hackers create Flutter apps to bypass macOS security (source)