Kaspersky warns of new malware from BlueNoroff, affiliated with Lazarus Group

A North Korean state-sponsored hacker group called the Lazarus Group has launched a new malware distribution program, according to cybersecurity firm Kaspersky.

Kaspersky recently released a new report that alleges Lazarus is now posing as venture capitalists to spread malware. Security researchers also said that BlueNoroff, the Lazarus-linked group, can use the malware to bypass Mark-of-the-Web (MOTW) security measures. With its venture capitalist facade, BlueNoroff operates under the guise of wanting to invest in digital currencies.

In its report, Kaspersky explains:

“[BlueNoroff] has created many fake domains that look like venture capital and banking domains. Most of the domains mimic Japanese venture capital firms, indicating that the group has a strong interest in Japanese financial entities.”

In addition, Kaspersky added that threat actors associated with Lazarus have mimicked popular venture capital platforms to spread malware. These include Beyond Next Ventures, Angel Bridge, Bank of America and Mizuho Financial Group. According to Kaspersky, it detected BlueNoroff’s global attacks targeting crypto startups in January this year. However, the cybersecurity platform also said that the hackers’ activities have dropped off until the fall season.

Kaspersky noted that BlueNoroff uses its malware to attack organizations that conduct operations using digital and Web3 channels. These channels include smart contracts, decentralized finance (DeFi), blockchain, and the fintech industry.

In addition, BlueNoroff tested different file types to refine the malware’s distribution methods. According to Kaspersky, the Lazarus Group affiliate deployed the previously unseen Batch Windows Visual Basic Script file as part of its testing. “As our latest findings show, this notorious actor has made slight changes to its malware distribution“, the researchers conclude.

Kaspersky says Lazarus-affiliated phishing group is not slowing down its malicious practices

Kaspersky believes that BlueNoroff, which has about 1,700 individuals spread across the globe, is not about to slow down its activities. So far, the phishing group has deployed more than 70 domains in its quest to steal from crypto-currency startups.

Increasing an even bigger and more active 2023 for BlueNoroff and other phishing groups, researcher Seongsu Park said:

“The coming year will see the most impactful cyber-epidemics, the strength of which has never been seen before. […] On the threshold of new malicious campaigns, businesses need to be more secure than ever.”

The BlueNoroff Lazarus subgroup first came to prominence after its attack on the Bangladesh central bank in 2016. In an April alert, the subgroup was also among a group of North Korean cyber threats mentioned by a U.S. cyberattack watchdog. According to the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation at the time, the threat from North Korean hackers called for increased security measures for crypto-currency companies.

Also in April, a specialized unit of the U.S. Treasury Department claimed that the Lazarus Group was behind the Ronin Bridge hack. That hack took place in March of this year and was worth over $600 million at the time.