BlueNoroff Cryptocurrency Focused APT Group

Industry: Finance & Technology | Level: Operational | Source: Securelist

Kaspersky shared research for BlueNoroff, an APT group tracked by Kaspersky that seemingly has associations with Lazarus. Kaspersky began tracking the group after their 2016 attack on Bangladesh’s Central Bank. The group's attack proficiency is most specialized in "the abuse of trust. Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means." The group's activities this year appear to have been focused on cryptocurrency startups. The group communicates through services such as Google Drive or LinkedIn messages as an initial lure, delivering malicious documents either directly or a compressed file that would also contain an LNK file. The malicious document's execution would launch PowerShell and/or a VBScript that conducts basic fingerprinting on the system before the threat actor proceeds with additional objectives such as collecting credentials or setting/stealing cryptocurrency, the group operates patiently to study the environment and blend their activities.

• Anvilogic Scenario: Malicious Document Delivering Malware
• Anvilogic Use Cases:
• Rundll32 Command Line
• Suspicious File written to Disk
• Windows Copy Files