bluenoroff-intrusion

Analysis

On 27th December 2022, Secure list published a blog on APT38 BlueNoroff group adopting new attack methodologies, the APT38 is a threat group targeting financial institutions, one of the top operations performed by the group was the Bank of Bangladesh heist, where they have stolen around 81 million as per reports.

The threat actors started to deliver malware through the image files with the extension of .iso, as they adapted to this technique to avoid MOTW (Mark of the Web), where MOTW is a code inserted into a saved copy of a web page to indicate its origin, it’s a mitigation technique introduced by Microsoft. The BlueNoroff group delivers the ISO image file containing a PowerPoint slide show and a Visual basic script.

The PowerPoint contains a malicious link, when a user clicks a link, it executes the vbs file through the Wscript process. Additionally, Secure list has observed the download and launch of a new suspicious batch file, based on the naming convention of the file, secure list suspects bluenoroff's current target would be the blockchain industry.

Prevention

  • Use Antivirus or EDR in all endpoints.
  • Take regular backups of end devices to reduce the impact of cyber-attacks.

Detection

Create rules based on known indicators of threat activity in the SIEM (Security incident event management) tool for detection.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Initial Access T1566.001 Phishing: Spearphishing Attachment
  T1566.002 Phishing: Spearphishing Link
Execution  T1059.003 Command and Scripting Interpreter: Windows Command Shell
  T1059.005 Command and Scripting Interpreter: Visual Basic
  T1204.001  User Execution: Malicious Link
  T1204.002  User Execution: Malicious File
Persistence  T1547.008  Boot or Logon AutoStart Execution: LSASS Driver
Defense Evasion  T1497.001  Virtualization/Sandbox Evasion: System Checks
  T1027.002  Obfuscated Files or Information: Software Packing
  T1055.002  Process Injection: Portable Executable Injection
  T1553.005  Subvert Trust Controls: Mark-of-the-Web Bypass
  T1218.007  System Binary Proxy Execution: Msiexec
  T1218.011  System Binary Proxy Execution: Rundll32
  T1221  Template Injection
Command and Control T1071.001  Application Layer Protocol: Web Protocols
Exfiltration  T1041  Exfiltration over C2 Channel

Indicators of Compromise (IOCs)

Type Indicator
Hash value for the malicious files

087407551649376d90d1743bac75aac8

f766f97eb213d81bf15c02d4681c50a4

61a227bf4c5c1514f5cbd2f37d98ef5b

4c0fb06320d1b7ecf44ffd0442fc10ed

d8f6290517c114e73e03ab30165098f6

d3503e87df528ce3b07ca6d94d1ba9fc

931d0969654af3f77fc1dab9e2bd66b

a17e9fc78706431ffc8b3085380fe29f

1e3df8ee796fc8a13731c6de1aed0818

21e9ddd5753363c9a1f36240f989d3a9

IPs

152.89.247.87

172.86.121.130

104.168.174.80

URLs

hxxp://avid.lno-

prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gG

hI=

hxxp://avid.lno-

prima[.]lol/NafqhbXR7KC/rTVCtCpxPH/kMjTqFDDNt/fiOHK5H35B

/bM%3D

hxxp://offerings[.]cloud/NafqhbXR7KC/rTVCtCpxPH/pdQTpFN6F

C/Lhr_wXGXix/nQ%3D

hxxps://docs.azure-

protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFr

oIw5_m/n9hLXkEOy3/wyQ%3D%3D

hxxps://docs.azure-

protection[.]cloud/%2BgFJKOpVX/4vRuFIaGlI/D%2BOfpTtg/YTN0T

U1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D

hxxps://docs.azure-

protection[.]cloud/+gFJKOpVX/4vRuFIaGlI/D+OfpTtg/YTN0TU1B

Nx/bMA5aGuZZP/ODq7aFQ%3D/%3D

hxxps://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSa

D/_rzNkkGuW6/cQHgsE=

hxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoP

bnVqYd

References

SECURELIST by Kaspersky

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.