BlueNoroff, part of the North Korean state-sponsored Lazarus Group, has reportedly renewed its targeting of VC firms, crypto startups, and banks. According to the cybersecurity lab Kaspersky, the group has shown a spike in activity after a slowdown during the year and is now testing new delivery methods for its malware.
BlueNoroff has created more than 70 fake domains that mimic venture capital firms and banks, most of which themselves as well-known Japanese companies. However, some assumed the identity of the United States and Vietnamese companies.
The group has been experimenting with new file types and other malware delivery methods. Once installed, its malware evades Windows Mark-of-the-Web security warnings about downloading content and then goes on to “intercept large cryptocurrency transfers, changing the recipient’s address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”
“The coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before,” Kaspersky researcher Seongsu Park said in a statement. “On the threshold of new malicious campaigns, businesses must be more secure than ever.”
The BlueNoroff subgroup of Lazarus was first identified after attacking the Bangladeshi central bank in 2016. It was among a group of North Korean cyber threats the U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation mentioned in an alert issued in April.
North Korean threat actors related to the Lazarus Group have been spotted attempting to steal NFTs in recent weeks, as well. The group was responsible for the $600-million Ronin Bridge exploit in March.
As an end user, you can make sure to use impossible-to-guess passwords that are coupled with two-factor authentication. This way, you can minimize the chances of your password being stolen. Also, you should be very careful where you click so that you don’t end up on a rogue website. And, finally – use a VPN. 😉