BlueNoroff Hackers Mimic Banks, Bypass Windows ProtectionOptical Disk Image, Virtual Hard Disk Files Inject Malware, Avoid Mark of the Web
Posing as leading banks offering cryptocurrency deals, the North Korea-backed BlueNoroff group is evading Microsoft Windows' Mark of the Web security measure to help infect machines with malware.
Hackers are refining their techniques for bypassing MOTW, which warns users when they try to open a file downloaded from the internet. Kaspersky researchers found that hackers are using optical disk image -
.iso extension - and virtual hard disk -
.vhd extension - file formats to evade the MOTW warning messages to users.
Researchers observed the North Korea-backed BlueNoroff group creating fake domains that look like venture capital and bank domains to steal millions of dollars in cryptocurrencies. Attackers posed as Japanese venture capital companies in many instances, "indicating that the group has an extensive interest in Japanese financial entities," Kaspersky says.
BlueNoroff operators are imitating a variety of financial services companies, including Beyond Next Ventures, Sumitomo Mitsui Banking Corp., Mitsubishi UFJ Financial Group, Anobaka, Z Venture Capital, ABF Capital, Angel Bridge, Trans-Pacific Technology Fund and Bank of America.
Researchers spotted the latest campaign in September and confirmed that the actor had adopted new techniques to convey the final payload.
Refining Delivery Techniques
Threat actors are also refining their delivery methods. "The actor took advantage of several scripts, including Visual Basic Script and Windows Batch script. For intermediate infection, the actor introduced a downloader to fetch and spawn the next stage payload. Although the initial intrusion methods were very different in this campaign, the final payload that we had analyzed previously was used without significant changes," the researchers say.
In previous campaigns, BlueNoroff fooled victims by tricking them into opening Word documents injected with malware. The latest campaign used image files to avoid MOTW.
"When a Microsoft Office file is fetched from the internet, the OS opens it in Protected View, which restricts the execution of the embedded macro. In order to avoid this mitigation technique, more threat actors have started abusing ISO file types. The BlueNoroff group likely experimented with ISO image files to deliver their malware. Although it's still under development, we mention this sample as an early warning," says Seongsu Park, senior threat researcher with Kaspersky.
This ISO image file contains one PowerPoint slide show and one Visual Basic Script. The Microsoft PowerPoint file contains a link that, when clicked, executes the 1
.vbs file through the WScript process.
"When we checked the VBS file, it only generated an 'ok' message, which suggests BlueNoroff is still experimenting with this method," Park says.
Further investigating revealed a
.vhd sample undetected by antivirus solutions containing a decoy PDF file, Windows executable file and an encrypted
Park says that the PDF and executable files contain numerous spaces before the file extension in an attempt to hide it.
"The malware reads the first byte of
Dump.bin, 0xAF in this file and decodes 0x3E8 bytes with that key. The decrypted data is the header of a PE file, overwriting the recovered header to the original file. Eventually, it loads the decrypted DLL file by spawning the ordinary first export function," Park says.
This spawned downloader contains an encrypted configuration at the end of the file. It first acquires the total size of the configuration data and the length of the payload URL from the end of the file.