The BlueNoroff cryptocurrency hunt is still on

BlueNoroff, a Lazarus-linked APT, continues its cryptocurrency-centric campaigns with multi-stage infections and sophisticated social engineering to target crypto startups worldwide. The group blends long-running infection chains, deceptive communications, and tailored backdoors to rove for funds and credentials.
Read more: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
#BlueNoroff #SnatchCrypto #Lazarus #Metamask #DCG #BangladeshBank #CVE-2017-0199

Keypoints

BlueNoroff is linked to Lazarus and remains active, shifting focus from banks to cryptocurrency-focused targets.
The group exploits trust through social engineering, abusing internal and external communications and impersonating various companies.
Infection chains include Windows shortcut delivery (LNK) via password-protected archives and weaponized Word documents using CVE-2017-0199 remote template injection.
Privilege escalation often uses legitimate Windows components (e.g., dccw.exe) to run payloads with high privileges.
Backdoors are deployed in multi-stage infections with persistence (Start Menu) and encrypted/configured payloads loaded from disk.
Crypto-theft operations monitor and tamper with cryptocurrency wallet extensions (e.g., Metamask) to steal or divert funds.
Attribution ties SnatchCrypto to BlueNoroff, with VBA macro authorship links and PowerShell script reuse across campaigns.

MITRE Techniques

[T1566.001] Phishing – Social engineering via trusted communications (internal/external) and Google Drive document shares to deliver payloads. “The latest BlueNoroff’s infection vector… abuse of trust in business communications.”
[T1203] Exploitation for Client Execution – CVE-2017-0199 remote template injection delivering an embedded malicious Visual Basic Script. “remote template injection (CVE-2017-0199) with an embedded malicious Visual Basic Script.”
[T1059.005] Visual Basic – Visual Basic Script in the initial infection chain used to fingerprint the host before delivering the next stage. “The VBS file is responsible for fingerprinting the victim by sending basic system information, network adapter information, and a process list.”
[T1059.001] PowerShell – PowerShell agent delivered after the VBS stage to execute commands from the operator. “Next, the Powershell agent, which is capable of executing commands from the malware operator.”
[T1218.011] Rundll32 – rundll32.exe usage to execute code from a DLL (wmc.dll) as part of the first-stage payload. “rundll32.exe %Public%wmc.dll,#1 4ZK0gYlgqN6ZbKd/NNBWTJOINDc+jJHOFH/9poQ+or9l”
[T1548.001] Abuse Elevation Control – Elevation via abusing a system DLL (dccw.exe) to run the next stage with high privilege. “The dccw.exe file is a Windows system file that has auto-elevate permission.”
[T1055] Process Injection – A VBA macro extracts resources and injects a payload into a legitimate process (e.g., Notepad). “spawns a new process (notepad.exe) to inject and execute the binary code.”
[T1547.001] Boot or Logon Autostart – Persistence Backdoor #1 created in the Start Menu/Startup path. “The persistence backdoor #1 is created in the Start menu path for the persistence mechanism…”
[T1027] Obfuscated/Compressed Files and Information – The malware decodes base64 and decrypts with an embedded key; payloads are decrypted and executed. “The malware decodes the command line parameter, base64 and decrypting it with an embedded key.”
[T1573] Encrypted Channel – Encrypted configuration and communications for loading next-stage payloads. “encrypted channel from a remote server” and “encrypted file on the disk.”
[T1033] System Owner/User Discovery – Discovery of user accounts, IP addresses, and sessions via commands. “They collected user accounts, IP addresses and session information.”
[T1555.003] Credentials in Web Browsers – Theft of cryptocurrency wallet data by tampering with browser extensions (e.g., Metamask). “monitoring transactions” and “tampering” of the extension.
[T1070.004] Indicator Removal on Host – Cleanup actions to remove binary objects and references to remote templates to hinder analysis. “A cleanup by removing the binary objects and the reference to the remote template.”

Indicators of Compromise

[File Hash] Malicious shortcuts – 033609f8672303feb70a4c0f80243349, 2100e6e585f0a2a43f47093b6fabde74, and 4a3de148b5df41a56bde78a5dcf41975 (malicious shortcut payloads found in campaigns)
[File Name] Malicious shortcut files – Password.txt.lnk, Xbox.lnk, and other LNK files used to trigger payloads
[Domain] Domains – abiesvc.com, docs.azureword.com, and numerous others used for phishing and C2 infrastructure
[IP Address] C2 addresses – 118.70.116.154:8080, 163.25.24.44, and 45.238.25.2 (among others)
[Domain] CDN/legitimate domain note – cdn.discordapp.com (updated: removed from IOC list as legitimate)
[URL] Example malicious documents – Abies VC Presentation.docx, Global Brain Pitch Deck.docx, etc. (document filenames listed in IOCs)
[Domain] Additional compromised/impersonated domains – abiesvc.jp.net, docs.gdriveshare.top, etc. (examples shown in the list)
[URL/Domain] C2-related domains and hosts – devstar.dnsrd.com, fxbet.linkpc.net, lservs.linkpc.net, etc. (examples of backdoor infrastructure)