Tolu is a cryptocurrency and blockchain enthusiast based in Lagos. He likes to demystify crypto stories to the bare basics so that anyone anywhere can understand without too much background knowledge. When he's not neck-deep in crypto stories, Tolu enjoys music, loves to sing and is an avid movie lover.
Kaspersky recently reported that a Lazarus affiliate might enhance its sophisticated malware attacks on crypto startups in 2023.
According to cybersecurity firm Kaspersky, a North Korean-state-sponsored group of hackers called Lazarus Group has started a new malware-spreading scheme. Kaspersky recently released a new report which alleges that Lazarus now poses as venture capitalist firms to spread malware. The security researchers also stated that BlueNoroff, the group linked with Lazarus, can use the malware to circumvent Mark-of-the-Web (MOTW) security measures. With its venture capitalist façade, BlueNoroff operates under the pretext of wanting to invest in digital currencies.
In its report, Kaspersky explained:
“[BlueNoroff] created numerous fake domains that look like venture capital and bank domains. Most of the domains imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities.”
Furthermore, Kaspersky added that the Lazarus-associated threat actors had imitated popular VC platforms to spread malware. These include Beyond Next Ventures, Angel Bridge, Bank of America, and Mizuho Financial Group. According to Kaspersky, it detected BlueNoroff’s global attacks targeting crypto startups in January this year. However, the cybersecurity platform also stated that the hackers’ activities dropped until the fall season.
Kaspersky noted that BlueNoroff uses its malware to attack organizations that run operations using digital and Web3 mediums. These channels include smart contracts, decentralized finance (DeFi), blockchain, as well as the fintech industry.
Furthermore, BlueNoroff tested different file types to refine malware delivery methods. According to Kaspersky, the Lazarus Group affiliate deployed the previously unseen Windows Batch file Visual Basic Script as part of its testing. “As we can see from our latest finding, this notorious actor has introduced slight modifications to deliver their malware,” the researchers concluded.
Kaspersky Says Lazarus-affiliated Phishing Group not Slowing Down on Malware Practices
Kaspersky opines that BlueNoroff, which constitutes approximately 1,700 individuals spread around the globe, would not slow down its operations anytime soon. So far, the phishing group has deployed more than 70 domains in its quest to steal from crypto startups.
Foreboding an even bigger and busier 2023 for BlueNoroff and other phishing groups, researcher Seongsu Park said:
“The coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. […] On the threshold of new malicious campaigns, businesses must be more secure than ever.”
The BlueNoroff Lazarus subgroup first came to the fore following its attack on the Bangladeshi central bank in 2016. In an April alert, the subgroup was also among a group of North Korean cyber threats mentioned by a US cyber-attack watchdog. According to the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation at the time, the North Korean hacker threat called for enhanced security measures by crypto firms.
Also in April, a specialized unit of the US Treasury Department alleged that the Lazarus Group was behind the Ronin Bridge hack. The hack took place in March this year and was worth more than $600 million at the time.