Security News > 2022 > December > BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection
BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web protections.
"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.
It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by BlueNoroff in its intrusions against the financial sector.
Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.
In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary to retrieve a second-stage downloader that's used to fetch and execute a remote payload. Also uncovered by Kaspersky is a.VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing user-mode hooks.
The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.
News URL
https://thehackernews.com/2022/12/bluenoroff-apt-hackers-using-new-ways.html
Related news
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)