Lazarus Group, BlueNoroff Spreads Malware as VC Firms

Delfrina Yasmine . December 28, 2022

Picture: BBC 

Techspace - BlueNoroff, the name given by security researchers to a group linked with North Korean state-sponsored hacking collective Lazarus Group, has expanded its criminal activities to include posing as venture capitalists looking to invest in crypto startups, according to a recent report from cybersecurity company Kaspersky.

Kaspersky Lab stated on December 27 that the North Korean hacker organization 'BlueNoroff' stole millions of dollars in cryptocurrency after building more than 70 phony websites and impersonating banks and venture capital businesses. The gang appears to be intent on assaulting cryptocurrency companies and banks.

According to Kaspersky, the criminal group is looking at new ways to spread its software after suffering a pause for the bulk of the year. BlueNoroff allegedly put up over 70 bogus websites impersonating banks and venture capital firms. The majority of the fraudulent websites professed to be legitimate Japanese businesses, with some claiming to be American and Vietnamese enterprises.

According to the research, Kaspersky discovered worldwide attacks by BlueNoroff targeting cryptocurrency businesses in January 2022, and there was a break in activity until the fall.

BlueNoroff is deploying malware to attack firms dealing with smart contracts, DeFi, Blockchain, and the FinTech industry, according to Kaspersky. According to Kaspersky, BlueNoroff is also utilizing software to circumvent Mark-of-the-Web (MOTW) technology, which ensures that when users try to open a file obtained from the Internet, a notice from Windows appears to alert them.

Bluenoroff Group Improved Infection Methods

Until recently, the BlueNoroff organization exploited Word documents to insert malware. They have recently upgraded their tactics, releasing a new Windows Batch file that allows them to expand the scope and execution mode of their virus.

These new.bat scripts avoid Windows Mark-of-the-Web (MOTW) security procedures, which are secret marks attached to files obtained from the Internet to protect users from files from untrusted sources.

After a comprehensive examination in late September, Kaspersky found that, in addition to new scripts, the BlueNoroff gang began using .iso and .vhd disk image files to transmit malware.

Kaspersky also discovered that a user in the United Arab Emirates fell victim to the BlueNoroff group after downloading a Word document called "Shamjit Client Details Form.doc," which allowed the hackers to connect to his computer and extract the information while attempting to execute even more potent malware.

Once the hackers gained access to the computer, "they attempted to fingerprint the victim and install more malware with high privileges," but the victim issued multiple commands to acquire basic system information, preventing the infection from spreading further.

A Precipitous Descent

In August, the organization sent job postings on LinkedIn to candidates for an engineering manager position at bitcoin exchange Coinbase.

In September, the Lazarus Group targeted Coinbase and job candidates in two separate phishing campaigns in September. One virus assault enticed job hunters to download a PDF document displaying's vacant positions. The PDF would install a trojan horse and steal personal and financial information if downloaded.

In October, cybercriminals stole more than $100 million in bitcoin by exploiting a vulnerability in the Binance Smart Chain.

An anonymous perpetrator began siphoning assets from FTX wallets totaling $640 million in tokens on November 11, 2022, the day FTX filed for Chapter 11 bankruptcy protection.

While the story of the fall of Sam Bankman-Fried and FTX has taken over the headlines, the threat posed by cyber criminals has never subsided.

Hacking Methods Grow Dangerous

Believe it or not, North Korea is said to be the world leader in crypto crime. According to reports, North Korean hackers could steal more than $1 billion in cryptocurrency until May 2022. Its most powerful faction, Lazarus, has been blamed for massive phishing assaults and malware-spreading tactics.

Following the theft of over 620 million dollars from Axie Infinity, the North Korean hacker group Lazarus, one of the world's largest hacker groups, raised enough money to improve their software to the point where they developed an advanced cryptocurrency scheme via a domain called, which they used as a front to steal the private keys of many of their "customers."

According to Microsoft, assaults on cryptocurrency organizations for more significant rewards have escalated in recent years, making attacks more complicated.

As a hook, hackers are delivering infected files masquerading as Excel tables detailing exchange business charge structures via Telegram channels.

When victims open the files, they download a series of apps that allow the hacker to remotely access the infected device, which might be a mobile device or a PC.

North Korea-linked Phishing Scheme Targets NFT Marketplaces

teknologi id bookmark icon

Leave a comment