"North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains"

Security researchers at Kasperksy discovered that North Korea's BlueNoroff hackers have updated their arsenal and delivery techniques in a new wave of attacks targeting banks and venture capital firms.  Part of Lazarus, a hacking group linked to the North Korean government, BlueNoroff is financially motivated and has been blamed for numerous cyberattacks targeting banks, cryptocurrency firms, and other financial institutions.  The researchers stated that following several months of silence, the group has resumed its activities this fall with renewed attacks that leverage new malware and updated delivery techniques that include new file types and a method of bypassing Microsoft's Mark-of-the-Web (MotW) protections.  Specifically, the hackers are distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, which allows them to avoid the MotW warning that Windows typically displays when a user attempts to open a document downloaded from the internet.  Relying on phishing, BlueNoroff attempts to infect target organizations to intercept cryptocurrency transfers and drain accounts.  The researchers noted that as part of the new campaign, the hacking group has registered roughly 70 fake domains mimicking well-known banks and venture capital firms, with a focus on Japanese firms.  Organizations in UAE, the US, and Vietnam are also targeted.  These domains have been used for phishing attacks aimed at startup employees.  According to the researchers, the group also "adopted new techniques to convey the final payload," including the use of Visual Basic Script and Windows Batch scripts and the introduction of a new downloader to fetch the next stage payload.

SecurityWeek reports: "North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains"