This December 27, Kaspersky Lab announced that the North Korean hacking group ‘BlueNoroff’ stole millions of dollars in cryptocurrencies after creating more than 70 fake domains and impersonating banks and venture capital firms.
According to the investigation, most of the domains mimicked Japanese venture capital firms, denoting a strong interest in user and company data within that country.
“After researching the infrastructure that was used, we discovered more than 70 domains used by this group, meaning they were very active until recently. Also, they created numerous fake domains that look like venture capital and bank domains.”
The Bluenoroff Group Perfected Its Infection Techniques
Until a few months ago, the BlueNoroff group used Word documents to inject malware. However, they recently improved their techniques, creating a new Windows Batch file that allows them to extend the scope and execution mode of their malware.
These new .bat files circumvent Windows Mark-of-the-Web (MOTW) security measures, a hidden mark attached to files downloaded from the Internet to protect users against files from untrusted sources.
After a thorough investigation in late September, Kaspersky confirmed that in addition to using new scripts, the BlueNoroff group began using .iso and .vhd disk image files to distribute viruses.
Kaspersky also found that a user in the United Arab Emirates fell victim to the BlueNoroff group after downloading a Word document called “Shamjit Client Details Form.doc,” which allowed the hackers to connect to his computer and extract information as they attempted to execute even more potent malware.
Once the hackers were logged into the computer, “they attempted to fingerprint the victim and install additional malware with high privileges,” however, the victim executed several commands to gather basic system information, preventing the malware from spreading out even more.
Hacking Techniques Become More Dangerous
Believe or not, reports say that North Korea leads the world in terms of crypto crime. Reports say that north Korean hackers have been able to steal over $1 billion worth of crypto until may of 2022. Its largest group, Lazarus, has been pointed as responsible for major phishing attacks and malware-spreading techniques
After the theft of more than 620 million dollars from Axie Infinity, the North Korean hacker group Lazarus, one of the largest hacker groups in the world, raised enough money to improve their software to such an extent that they created an advanced cryptocurrency scheme through a domain called bloxholder.com which they used as a front to steal the private keys of many of their “customers.”
As reported by Microsoft, attacks targeting cryptocurrency organizations for higher rewards have increased over the past few years, so attacks have become more complex than before.
One of the newest techniques used by hackers through Telegram groups is sending infected files disguised as Excel tables containing exchange company fee structures as a hook.
Once the victims open the files, they download a series of programs allowing the hacker to remotely access the infected device, whether it is a mobile device or a PC.