Analysis
On 27th December 2022, Secure list published a blog on APT38 BlueNoroff group adopting new attack methodologies, the APT38 is a threat group targeting financial institutions, one of the top operations performed by the group was the Bank of Bangladesh heist, where they have stolen around 81 million as per reports.
The threat actors started to deliver malware through the image files with the extension of .iso, as they adapted to this technique to avoid MOTW (Mark of the Web), where MOTW is a code inserted into a saved copy of a web page to indicate its origin, it’s a mitigation technique introduced by Microsoft. The BlueNoroff group delivers the ISO image file containing a PowerPoint slide show and a Visual basic script.
The PowerPoint contains a malicious link, when a user clicks a link, it executes the vbs file through the Wscript process. Additionally, Secure list has observed the download and launch of a new suspicious batch file, based on the naming convention of the file, secure list suspects bluenoroff's current target would be the blockchain industry.
Prevention
- Use Antivirus or EDR in all endpoints.
- Take regular backups of end devices to reduce the impact of cyber-attacks.
Detection
Create rules based on known indicators of threat activity in the SIEM (Security incident event management) tool for detection.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| T1566.002 | Phishing: Spearphishing Link | |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | |
| T1204.001 | User Execution: Malicious Link | |
| T1204.002 | User Execution: Malicious File | |
| Persistence | T1547.008 | Boot or Logon AutoStart Execution: LSASS Driver |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| T1055.002 | Process Injection: Portable Executable Injection | |
| T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | |
| T1218.007 | System Binary Proxy Execution: Msiexec | |
| T1218.011 | System Binary Proxy Execution: Rundll32 | |
| T1221 | Template Injection | |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Exfiltration | T1041 | Exfiltration over C2 Channel |
Indicators of Compromise (IOCs)
| Type | Indicator |
| Hash value for the malicious files |
087407551649376d90d1743bac75aac8 f766f97eb213d81bf15c02d4681c50a4 61a227bf4c5c1514f5cbd2f37d98ef5b 4c0fb06320d1b7ecf44ffd0442fc10ed d8f6290517c114e73e03ab30165098f6 d3503e87df528ce3b07ca6d94d1ba9fc 931d0969654af3f77fc1dab9e2bd66b a17e9fc78706431ffc8b3085380fe29f 1e3df8ee796fc8a13731c6de1aed0818 21e9ddd5753363c9a1f36240f989d3a9 |
| IPs |
152.89.247.87 172.86.121.130 104.168.174.80 |
| URLs |
hxxp://avid.lno- prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gG hI= hxxp://avid.lno- prima[.]lol/NafqhbXR7KC/rTVCtCpxPH/kMjTqFDDNt/fiOHK5H35B /bM%3D hxxp://offerings[.]cloud/NafqhbXR7KC/rTVCtCpxPH/pdQTpFN6F C/Lhr_wXGXix/nQ%3D hxxps://docs.azure- protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFr oIw5_m/n9hLXkEOy3/wyQ%3D%3D hxxps://docs.azure- protection[.]cloud/%2BgFJKOpVX/4vRuFIaGlI/D%2BOfpTtg/YTN0T U1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D hxxps://docs.azure- protection[.]cloud/+gFJKOpVX/4vRuFIaGlI/D+OfpTtg/YTN0TU1B Nx/bMA5aGuZZP/ODq7aFQ%3D/%3D hxxps://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSa D/_rzNkkGuW6/cQHgsE= hxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoP bnVqYd |
References
SECURELIST by Kaspersky
