- BlueNoroff seen targeting crypto businesses with new piece of malware
- The malware establishes persistence and opens up a back door
- It can download additional payloads, run Shell commands, and more
Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.
Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.
Usually, the group would “groom” their victims on social media, before deploying any malware. In this campaign, however, they’ve decided for a more direct approach.
Hidden Risk
As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.
The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.
The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named “Hidden Risk”.
The malware comes in multiple stages. The first stage is a dropper app, signed with a valid Apple Developer ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim…
Read full post on Tech Radar
