Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains

North Korea’s BlueNoroff hackers have updated their arsenal and delivery techniques in a new wave of attacks targeting banks and venture capital firms, cybersecurity firm Kaspersky reports.

North Korea’s BlueNoroff hackers have updated their arsenal and delivery techniques in a new wave of attacks targeting banks and venture capital firms, cybersecurity firm Kaspersky reports.

Part of Lazarus, a hacking group linked to the North Korean government, BlueNoroff is financially motivated and has been blamed for numerous cyberattacks targeting banks, cryptocurrency firms, and other financial institutions.

Following several months of silence, the group has resumed its activities this fall with renewed attacks that leverage new malware, and updated delivery techniques that include new file types and a method of bypassing Microsoft’s Mark-of-the-Web (MotW) protections.

Specifically, the hackers are distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, which allows them to avoid the MotW warning that Windows typically displays when a user attempts to open a document downloaded from the internet.

Relying on phishing, BlueNoroff is attempting to infect target organizations to intercept cryptocurrency transfers and drain accounts.

As part of the new campaign, the hacking group has registered roughly 70 fake domains mimicking well-known banks and venture capital firms, with a focus on Japanese firms. Organizations in UAE, US, and Vietnam are also targeted. These domains have been used for phishing attacks aimed at startup employees.

According to Kaspersky, the group also ‘adopted new techniques to convey the final payload’, including the use of Visual Basic Script and Windows Batch scripts, and the introduction of a new downloader to fetch the next stage payload.

In September, a victim in UAE was targeted with a malicious Office document designed to connect to a remote server and download a payload named ieinstal.exe, which helped bypass the User Access Control (UAC) protections.

After infection, the threat actor used the backdoor to perform keyboard hands-on activities such as fingerprinting and the installation of additional malware with high privileges.

In another attack, the group was observed using a downloader that checks the system for antivirus programs from Avast, Avira, Bitdefender, Kaspersky, Microsoft, Sophos, and Trend Micro, to disable them.

BlueNoroff was also observed exploiting living-of-the-land binaries (LOLBins) and using various scripts to display a decoy document and fetch the next-stage payload, as well as using a new Windows executable-type downloader that spawns a fake password file and downloads a payload.

As part of the campaign, the hackers also used fake domains for hosting malicious documents and payloads, and fake domains imitating legitimate financial and investment companies, most of which are Japanese organizations. Lately, the group also targeted cryptocurrency-related businesses.

“As we can see from our latest finding, this notorious actor has introduced slight modifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the near future,” Kaspersky concludes.

Organizations are advised to train their employees on phishing, perform a network audit to identify vulnerabilities and weaknesses, and deploy and maintain security solutions that offer endpoint protection and threat detection and response capabilities.

Related: Google Documents IE Browser Zero-Day Exploited by North Korean Hackers

Related: North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security

Related: North Korean Gov Hackers Caught Rigging Legit Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack