Microsoft has confirmed that the North Korean hacking group, BlueNoroff or Lazarus Group, known for its cryptocurrency theft through social engineering, has shifted its strategy in recent weeks. According to Microsoft Threat Intelligence security professionals, the group has been developing new websites that are disguised as skills assessment portals, indicating a change in the threat actor's techniques.
Targeted Cryptocurrency Theft
These skill assessment-posing websites are reportedly password-protected to block scrutiny and mimic legitimate services to entice recruitment professionals to set up accounts. The intent, as outlined by Microsoft, appears to be establishing a base for hosting malicious payloads while avoiding detection and subsequent takedown attempts that have previously affected operations conducted on legitimate services like GitHub.
BlueNoroff has made headlines before, having utilized social platforms such as LinkedIn for initial contact with potential targets. They move successful communications to other platforms, where malware camouflaged within seemingly harmless documents gets deployed. Jamf Threat Labs had previously linked the group to the ObjCShellz macOS malware, prompting concerns across platforms.
The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor's tactics.
— Microsoft Threat Intelligence (@MsftSecIntel) November 8, 2023
Global Threat Landscape
With a history of significant attacks, such as the Axie Infinity's Ronin network bridge hack where they siphoned over $617 million in cryptocurrency, BlueNoroff's activities continue to draw the attention of international law enforcement agencies. They are also held responsible for a series of attacks against cryptocurrency startups and financial organizations spanning a host of countries including, but not limited to, the United States, Russia, China, India, and the United Kingdom.
In 2022, the Lazarus Group was using Windows Updates as a target. the group was using Windows Update to deliver malware through a GitHub command-and-control (C2) server, security researchers warn. According to Malwarebytes Threat Intelligence, the Lazarus Group was masking itself as American aerospace juggernaut Lockheed Martin.
In addition to the ongoing cyber threats, the group has been linked by Kaspersky to a sustained assault on institutions worldwide, hence prompting a response from the US Treasury in 2019, which sanctioned BlueNoroff alongside other North Korean groups like Lazarus Group and Andariel. These sanctions underscore the group's direct connection to the North Korean government, funneling stolen financial assets to the state's programs.
Microsoft's identification of these new techniques aligns with a consistent pattern of advancement in cyber threat methods, where groups like BlueNoroff evolve in response to enhanced cybersecurity measures. Entities, particularly within the cryptocurrency space, are advised to remain cautious of unsolicited communications and to follow cybersecurity best practices to defend against such sophisticated stratagems.