Cyber Incident Victim: US Financial Instituions
Date:
Dec 2022
Location:
United States of America
Summary
North Korean state-linked BlueNoroff hackers targeted financial institutions, venture capital firms, and cryptocurrency businesses through phishing campaigns leveraging approximately 70 spoofed domains mimicking legitimate banks—primarily Japanese entities, but also organizations in the US, UAE, and Vietnam. The group deployed optical disk and virtual hard disk files to bypass security warnings, alongside updated malware delivery techniques involving scripts, downloaders, and living-off-the-land binaries to evade detection. Attacks aimed to intercept cryptocurrency transfers, drain accounts, and establish persistent access via backdoors enabling system fingerprinting, antivirus disabling, and high-privilege malware installation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2022, North Korea’s BlueNoroff hacking group, a financially motivated subgroup of the Lazarus collective, resumed operations after several months of inactivity, deploying updated tools and techniques against global financial institutions. The campaign, first documented by cybersecurity firm Kaspersky, leveraged phishing attacks distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents. These file types allowed the attackers to bypass Microsoft’s Mark-of-the-Web (MotW) security warnings, which typically alert users when opening internet-downloaded files. The malicious documents initiated infection chains designed to intercept cryptocurrency transfers and drain institutional accounts. Attackers employed new payload delivery methods, including Visual Basic Script and Windows Batch scripts, alongside a novel downloader to retrieve secondary payloads. In one September 2022 incident targeting a UAE victim, a malicious Office document connected to a remote server to download ieinstal.exe, a payload that bypassed User Access Control (UAC) protections. Post-infection, threat actors performed hands-on-keyboard activities, including system fingerprinting and deploying additional malware with elevated privileges. Another attack utilized a downloader that scanned for and attempted to disable antivirus software from vendors including Avast, Avira, Bitdefender, Kaspersky, Microsoft, Sophos, and Trend Micro.
The campaign involved approximately 70 counterfeit domains impersonating legitimate banks and venture capital firms, with a focus on Japanese entities, though organizations in the UAE, United States, and Vietnam were also targeted. These domains facilitated phishing operations against startup employees, hosting malicious documents and payloads while mimicking legitimate financial and investment company websites. Attackers exploited living-off-the-land binaries (LOLBins) and scripts to display decoy documents while retrieving next-stage payloads. A new Windows executable downloader was observed spawning fake password files to download malicious components. BlueNoroff expanded its targeting to include cryptocurrency-related businesses in later stages of the campaign. Kaspersky’s analysis confirmed the group’s adaptation of tactics but did not disclose specific financial losses or operational disruptions suffered by victims. Security recommendations emphasized employee phishing awareness training, network vulnerability audits, and deployment of endpoint protection with threat detection capabilities, though no publicized containment actions or victim-led remediation efforts were detailed in the report.