North Korean group BlueNoroff has find a new way to hack into your crypto wallets. Now it resembles banks and Japanese VC firms.
On December 27, Kaspersky Lab announced that the North Korean hacking group ‘BlueNoroff’ stole millions of dollars in cryptocurrencies after creating more than 70 fake domains and impersonating banks and venture capital firms.
According to the investigation, most of the domains mimicked Japanese venture capital firms, denoting a strong interest in user and company data within that country.
“After researching the infrastructure that was used, we discovered more than 70 domains used by this group, meaning they were very active until recently. Also, they created numerous fake domains that look like venture capital and bank domains.”
Until a few months ago, the BlueNoroff group used Word documents to inject malware. However, they recently improved their techniques, creating a new Windows Batch file that allows them to extend the scope and execution mode of their malware.
These new .bat files circumvent Windows Mark-of-the-Web (MOTW) security measures, a hidden mark attached to files downloaded from the Internet to protect users against files from untrusted sources.
After a thorough investigation in late September, Kaspersky confirmed that in addition to using new scripts, the BlueNoroff group began using .iso and .vhd disk image files to distribute viruses.
Kaspersky also found that a user in the United Arab Emirates fell victim to the BlueNoroff group after downloading a Word document called “Shamjit Client Details Form.doc,” which allowed the hackers to connect to his computer and extract information as they attempted to execute even more potent malware.
Once the hackers were logged into the computer, “they attempted to fingerprint the victim and install additional malware with high privileges,” however, the victim executed several commands to gather basic system information, preventing the malware from spreading out even more.