Kaspersky: BlueNoroff updates its attacks with more dangerous software |
Kaspersky researchers have discovered that APT's notorious BlueNoroff group has added a sophisticated malware strain to its destructive arsenal.
The gang is known for targeting cryptocurrency financial institutions around the world, particularly venture capitalists, cryptocurrency startups, and banks.
BlueNoroff is currently experimenting with new file types to improve malware delivery efficiency and has created over 70 fake domain names for venture capitalists and banks to lure startup employees.
BlueNoroff is part of the larger Lazarus gang and has used its sophisticated malware techniques to target organizations primarily involved in smart contracts, decentralized exchanges (DeFi), blockchain and fintech.
The gang is dead in 2022 after Kaspersky experts report a series of BlueNoroff attacks targeting cryptocurrency startups around the world. But metrics from Kaspersky Solutions showed that the malicious group returned last fall, becoming more sophisticated and active.
The gang emailed a document file to a salesperson at a large financial institution who thought it was a contract from a customer and thought he needed to quickly open the file and send it to his manager.
But once the file was opened, the malware was installed on the worker's computer, allowing the gang to track all of the employees' daily activities while planning the robbery attack. When the attackers discover that the employees of the infected companies are transferring large amounts of cryptocurrency, they intercept the transaction, change the address of the recipient and increase the amount of the transfer transaction, which leads to a huge loss of cryptocurrency accounts.
According to Kaspersky experts, attackers are currently experimenting with new ways to deliver malware to their targets. They infect victims with previously unused file types such as new Visual Basic Script files, Windows invisible stack files, and Windows executables.
Besides using tactics commonly used by advanced cybercriminals, the gang has developed its own tactics to more effectively bypass Windows security measures.
Recently, many malicious actors have relied on image files to avoid the security mark of authenticity on websites known as the term (MOTW), causing Windows to issue a warning message when the file is opened (for example, file opened in Protected View ). ) A user tries to view a file he downloaded from the Internet.
An increasing number of malicious actors, including BlueNoroff, use the ISO file type (a digital copy of a regular CD-ROM used to distribute software or multimedia content) to bypass this protection technology.
BlueNoroff is constantly increasing the power of his attacks. Last October, Kaspersky researchers noticed the emergence of 70 fake domains impersonating world-famous banks and venture capital firms, mostly Japanese firms such as Beyond Next Ventures and Mizuho Financial Group, indicating the group's interest in Japanese financial institutions. According to Kaspersky's explanation, the gang also targeted companies in the United Arab Emirates posing as American and Vietnamese companies.
According to Seongsu Park, Senior Security Researcher, Kaspersky Global Research and Analysis Team, according to the Kaspersky Advanced Persistent Threat Forecast 2023, the new year will see the emergence of a very powerful and dangerous digital pandemic.
Park added: “The next attack will resemble the famous WannaCry campaign in terms of technical superiority and devastating impact. The results we received in our analysis of the (BlueNoroff) group prove that cybercriminals are always trying new and more sophisticated attacks. As we stand on the eve of the emergence of new security vulnerabilities, organizations must All types should pay more attention to their security as they should educate their employees on the basics of digital security and start using a robust security solution on all their devices.
Kaspersky recommends that companies protect themselves by offering employees digital security basics training that simulates phishing attacks to ensure that employees know how to spot phishing emails.
It also recommends conducting a digital network security audit and repairing any vulnerabilities or vulnerabilities that have been discovered in or around the network. Also, choose a reliable endpoint security solution such as Kaspersky Endpoint Security for Business, which can detect behavior-based threats, monitor anomalous traffic, and provide effective protection against known and unknown threats.
Kaspersky believes in using a customized suite of digital security solutions to effectively protect endpoints, along with threat detection and response solutions that can detect even new and elusive threats and take timely action against them.
For example, the solution (Kaspersky Optimization Framework) includes a set of basic endpoint protection tools with threat detection and response (EDR) and managed protection (MDR) capabilities.