Cyber Incident Victim: Vietnamese Financial Institutions
Date:
Dec 2022
Location:
Viet Nam
Summary
North Korean state-linked hacking group BlueNoroff, part of the Lazarus collective, conducted a phishing campaign targeting financial institutions and venture capital firms by creating approximately 70 fraudulent domains impersonating legitimate banks, primarily Japanese entities but also including organizations in Vietnam, UAE, and the US. The attackers distributed malicious optical disk and virtual hard disk files to bypass security warnings, deploying updated techniques such as Visual Basic and Batch scripts, a new downloader, and living-off-the-land binaries to deliver payloads that disabled antivirus software, escalated privileges, and installed backdoors. The operation aimed to intercept cryptocurrency transfers, compromise accounts, and exfiltrate funds, leveraging decoy documents and infrastructure mimicking financial services to infiltrate victim networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2022, North Korean state-linked hacking group BlueNoroff resumed operations after months of inactivity, launching a campaign targeting financial institutions and venture capital firms across multiple countries, including Vietnam. The group, a financially motivated subgroup of the Lazarus collective, registered approximately 70 fraudulent domains impersonating legitimate banks and investment companies, with particular emphasis on Japanese organizations alongside targets in the UAE, United States, and Vietnam. Attackers employed phishing techniques distributing malicious optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, circumventing Microsoft's Mark-of-the-Web security warnings triggered by internet-downloaded files. These files delivered updated malware payloads through new techniques including Visual Basic Script and Windows Batch scripts, alongside a novel downloader designed to retrieve subsequent attack stages. The campaign specifically targeted cryptocurrency-related businesses and startup employees, aiming to intercept financial transfers and compromise accounts for fund theft.
Kaspersky researchers documented multiple technical innovations in the campaign, including a September 2022 attack against a UAE victim involving a malicious Office document that downloaded ieinstal.exe payload to bypass User Access Control protections. Post-infection, attackers conducted hands-on-keyboard activities including system fingerprinting and high-privilege malware deployment. BlueNoroff utilized a downloader capable of detecting and disabling antivirus software from seven major vendors and exploited living-off-the-land binaries (LOLBins) to display decoy documents while retrieving payloads. The group deployed a new Windows executable downloader generating fake password files to obscure malicious activity. Security analysts noted the fake domains served dual purposes: hosting malicious documents/payloads and impersonating legitimate financial entities to enhance phishing credibility. Kaspersky concluded the operational updates indicated sustained threat activity, recommending organizations implement phishing awareness training, conduct network vulnerability audits, and maintain endpoint protection systems with threat detection capabilities.