The Lazarus Group, the infamous North Korean state-sponsored hacking group has become the latest threat group to evade Microsoft’s Mark of the Web (MoTW) security feature. Lazarus used the tactic in its recent campaign on venture capital firms, crypto startups, and banks through its BlueNoroff subgroup.
According to cybersecurity firm Kaspersky, the group has been active again after a period of low activity and has been testing new ways to deliver its malware.
The researchers found the group to be very active, using over 70 domains for their plans. Additionally, they created numerous fake domains that resembled venture capital and bank domains, with a majority of them imitating Japanese venture capital companies.
Two vulnerabilities present in various versions of Windows could allow hackers to bypass the Microsoft Mark of the Web (MoTW) security feature by sneaking malicious attachments and files through, DarkReading reported in October.
Lazarus and venture capital targets
“The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet,” wrote Kaspersky researcher Seongsu Park.
“To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.”
In order to carry out these attacks, BlueNoroff has created over 70 fake domains that mimic real venture capital firms and banks. Many of these fake domains pose as Japanese companies, but some have also pretended to be American and Vietnamese companies.
The group has also been experimenting with different file types and malware delivery methods. Once the malware is in place, it can bypass security warnings about downloading content and intercept large cryptocurrency transfers, changing the recipient’s address and draining the account in a single transaction.
Evolution of BlueNoroff and Lazarus
BlueNoroff was first identified in 2016 after it attacked the Bangladeshi central bank. In April, the US Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation issued an alert about the group, along with other North Korean cyber threats.
In recent weeks, Lazarus Group actors have also been observed attempting to steal nonfungible tokens. Lazarus, has been launching phishing campaigns on the employees of Japanese cryptocurrency exchanges and successfully compromising businesses, The Cyber Express reported in October.
Lazarus groups recently employed some anti-forensics techniques in their operations, noted a Trend Micro threat intel report.
“In the later years of Lazarus operations, particularly operations related to the BlueNoroff subgroup, they made use of component separation for their malware,” the report said.
“It also makes use of command line backdoors and installers. Aside from separating the components, they also require specific arguments for execution.”
Some of the other techniques noted include disk wiping, to wipe traces of the attacker’s activities after the campaign has been completed.