Kaspersky finds BlueNoroff APT actor disguised itself as VC firms to deliver new malware

Woburn, MA, Dec. 27, 2022 (GLOBE NEWSWIRE) -- Kaspersky researchers have discovered that the infamous Advanced Persistent Threat (APT) actor BlueNoroff recently added sophisticated new malware strains to its arsenal. BlueNoroff is known as the threat actor that targets financial entities’ cryptocurrency around the world, specifically aiming at venture capital firms, crypto startups, and banks. Now, the BlueNoroff actor is experimenting with new file types to convey their malware more efficiently and have created more than 70 fake domains of venture capital firms and banks to lure startup employees into a trap.  

BlueNoroff is part of the larger Lazarus group and uses its sophisticated malicious technologies to attack organizations that, by the nature of their work, deal with smart contracts, DeFi, Blockchain, and the FinTech industry. In January 2022, Kaspersky experts reported on a series of attacks detected on cryptocurrency startups worldwide, conducted by BlueNoroff, but afterwards there was a lull. However, based on Kaspersky’s telemetry, this autumn, the threat actor returned to attack, even more sophisticated and active than ever before.

According to the researchers, the attackers have used phishing techniques to try to infect targeted companies and then intercept large cryptocurrency transfers, changing the recipient's address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.

Kaspersky experts believe that the attackers are currently actively testing new malware delivery methods, for example, using previously unused file types such as a new Visual Basic Script, an unseen Windows Batch file, and a Windows executable to infect the victim.

Blunoroff has also deployed new strategies to increase its efficiency in circumventing Windows security measures. Recently, many threat actors have started using image files to avoid Mark-of-the-Web (MOTW). In a nutshell, the MOTW flag is a security measure whereby Windows issues a warning message, offering to open a file in “Protected view,” when a user tries to open a file downloaded from the Internet. To avoid this mitigation technique, an increasing number of threat actors have started to exploit ISO file types (digital copies of regular CD disks used for distribution of software or media content). BlueNoroff has adopted this technique.

The threat actor is increasing the power of its attacks every day. In October 2022, Kaspersky researchers observed 70 fake domains mimicking well-known venture capital firms and banks. Most of the domains imitate Japanese firms, like Beyond Next Ventures, Mizuho Financial Group, and others. This indicates that this group has extensive interest in Japanese financial entities. According to Kaspersky telemetry, the actor also targets UEA organizations and disguises itself as US and Vietnamese companies.

“As per our forecast in recent APT predictions for 2023, the coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before,” said Seongsu Park, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “They will resemble the infamous WannaCry in their technological superiority and effect. Our findings in the BlueNoroff experiments prove that cybercriminals are not standing still and are constantly testing and analyzing new and more sophisticated tools of attack. On the threshold of new malicious campaigns, businesses must be more secure than ever: train your employees in the basics of cybersecurity and use a trusted security solution on all corporate devices.”

Read more about BlueNoroff in the full report on Securelist.

For organizations’ protection, Kaspersky suggests the following:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to identify phishing emails.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.
  • Use a dedicated set of cybersecurity solutions for effective endpoint protection, threat detection and response products to detect and remediate even new and evasive threats in a timely fashion. Kaspersky Optimum Framework includes the essential set of endpoint protection empowered with EDR and MDR.


About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact

Sawyer Van Horn


(781) 503-1866




ISO image file used to deliver malware Fake VC document

Contact Data