BlueNoroff, part of the North Korean state-sponsored Lazarus Group, has renewed its targeting of venture capital firms, crypto startups and banks. Cybersecurity lab Kaspersky reported that the group has shown a spike in activity after a lull for most of the year and is testing new delivery methods for its malware.
BlueNoroff has created more than 70 fake domains that mimic venture capital firms and banks. Most of the fakes presented themselves as well-known Japanese companies, but some also assumed the identity of United States and Vietnamese companies.
BlueNoroff introduces new methods bypassing MoTWhttps://t.co/C6q0l1mWqo
— Pentesting News (@PentestingN) December 27, 2022
The group has been experimenting with new file types and other malware delivery methods, according to the report. Once in place, its malware evades Windows Mark-of-the-Web security warnings about downloading content and then goes on to “intercept large cryptocurrency transfers, changing the recipient’s address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”
Related: North Korea’s Lazarus behind years of crypto hacks in Japan — Police
According to Kaspersky, the problem with threat actors is worsening. Researcher Seongsu Park said in a statement:
“The coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. […] On the threshold of new malicious campaigns, businesses must be more secure than ever.”
The BlueNoroff subgroup of Lazarus was first identified after it attacked the Bangladeshi central bank in 2016. It was among a group of North Korean cyber threats the U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation mentioned in an alert issued in April.
North Korean threat actors associated with the Lazarus Group have been spotted attempting to steal nonfungible tokens in recent weeks as well. The group was responsible for the $600-million Ronin Bridge exploit in March.