Threat Research

Zooming through BlueNoroff Indicators with Validin

Validin
Zooming through BlueNoroff Indicators with Validin

The article analyzes a targeted intrusion by the North Korean BlueNoroff threat group against a Web3 organization, focusing on phishing lures disguised as Zoom extensions and extensive infrastructure pivoting using DNS, host, and registration data. Nearly 200 related malicious domains and numerous IP addresses linked to DPRK activity were identified to enable proactive threat tracking. #BlueNoroff #APT38 #LazarusGroup #ZoomExtension #Validin

Keypoints

  • BlueNoroff (APT38), a North Korean Lazarus subgroup, targeted a Web3 crypto organization using Zoom-themed phishing lures and backdoors.
  • Initial analysis focused on the suspicious domain support[.]us05web-zoom[.]biz which hosted a malicious Zoom extension sent via Telegram.
  • The domain mostly resolved to Google’s DNS 8.8.8.8 to obfuscate malicious infrastructure, a known evasion tactic by attackers.
  • DNS and host pivots using Validin revealed over 190 Zoom and conference-themed domains likely related to BlueNoroff.
  • Several IP addresses, including 23.254.247[.]53 and 23.254.247[.]32, were linked to DPRK threat activity and connected to numerous suspicious domains.
  • Host connection pivots involving RDP and HTTP certificates uncovered additional domains and infrastructure tied to BlueNoroff campaigns.
  • Domain registration time clustering was used to discover further related domains registered in coordination, aiding attribution.

MITRE Techniques

  • [T1566] Phishing – The attackers used phishing lures disguised as malicious “Zoom extension” sent over Telegram (“…a malicious ‘Zoom extension’ sent to the victim over Telegram…”).
  • [T1071] Application Layer Protocol – The threat actor used DNS manipulations by pointing domains to the public Google DNS resolver 8.8.8.8 to evade detection (“…domain resolved to 8.8.8.8, a very well-known public DNS resolver…”).
  • [T1587] Develop Capabilities – The group registered numerous domains with Zoom and conferencing keywords to build and manage their malicious infrastructure (“…nearly 200 domains, with hundreds of subdomains, likely related to BlueNoroff…”).
  • [T1105] Ingress Tool Transfer – The distribution of a backdoor via a fake Zoom extension indicates tool transfer as part of the attack.
  • [T1098] Account Manipulation – Use of registration time pivots on WHOIS data suggests manipulation or control over domain registrations to blend malicious assets.

Indicators of Compromise

  • [Domains] BlueNoroff-associated Zoom-themed malicious domains – support[.]us05web-zoom[.]biz, zoom-sdk[.]com, us03web-zoom[.]cc, and over 190 others with similar naming patterns.
  • [IP Addresses] Associated with DPRK activity – 23.254.247[.]53, 23.254.247[.]32, 23.254.244[.]248, 104.168.143[.]111, and 5.230.78[.]47 among others.
  • [Certificate SHA1] Used to pivot infrastructure – 38eaff53184ebca9046c2f10161c664ceb10d0c1 linked to multiple drop-box and conference-themed domains.
  • [HTTP Feature Hashes] Useful for detection – banner0hash 083ca76e08cca8d8ebd337b836c9c8fb, body SHA1 hash 23c501daff7991f82a93d94a4f14bd68fb5f61d9.

Read more: https://www.validin.com/blog/zooming_through_bluenoroff_pivots/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint