"BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection"

BlueNoroff is a subcluster of the infamous Lazarus Group, which has been discovered incorporating Windows Mark of the Web (MotW) bypass techniques into its playbook. The novel infection chain includes using optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file types. BlueNoroff set up multiple fake domains mimicking venture capital firms and banks, according to security researcher Seongseok Park, who said that the new attack technique was identified in September 2022. Some of the fraudulent domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group. Although MotW bypasses have been discovered in the wild previously, this is the first time that BlueNoroff has included them in its attacks targeting the financial industry. BlueNoroff, also known as APT38, Nickel Gladstone, and Stardust Chollima, is a member of the Lazarus threat group, which also includes Andariel and Labyrinth Chollima. The threat actor's financial goals have made it an unusual nation-state actor in the threat landscape, allowing it to infiltrate organizations throughout North and South America, Europe, Africa, and Asia. It has been linked to high-profile cyberattacks on the SWIFT banking network in 2015 and 2016, including the Bangladesh Bank heist in February 2016 that resulted in the theft of $81 million. This article continues to discuss the BlueNoroff Advanced Persistent Threat (APT) group adopting new techniques to evade Windows MotW protections. 

THN reports "BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection"