North Korean hackers are pretending to be crypto VCs in new phishing scheme: Kaspersky

BlueNoroff, part of the North Korean state-sponsored Lazarus Group, has renewed its targeting of venture capital firms, crypto startups and banks. Cybersecurity lab Kaspersky reported that the group has shown a spike in activity after a lull for most of the year and it is testing new delivery methods for its malware.

BlueNoroff has created more than 70 fake domains that mimic venture capital firms and banks. Most of the fakes presented themselves as well-known Japanese companies, but some also assumed the identity of United States and Vietnamese companies.

BlueNoroff introduces new methods bypassing MoTWhttps://t.co/C6q0l1mWqo

— Pentesting News (@PentestingN) December 27, 2022

The group has been experimenting with new file types and other malware delivery methods, according to the report. Once in place, its malware evades Windows Mark-of-the-Web security warnings about downloading content and then goes on to “intercept large cryptocurrency transfers, changing the recipient's address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”

Related: North Korea’s Lazarus behind years of crypto hacks in Japan — Police

According to Kaspersky, the problem with threat actors is worsening. Researcher Seongsu Park said in a statement:

“The coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. […] On the threshold of new malicious campaigns, businesses must be more secure than ever.”

The BlueNoroff subgroup of Lazarus was first identified after it attacked the Bangladeshi central bank in 2016. It was among a group of North Korean cyber threats the U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation mentioned in an alert issued in April.

North Korean threat actors associated with the Lazarus Group have been spotted attempting to steal nonfungible tokens in recent weeks as well. The group was responsible for the $600-million Ronin Bridge exploit in March.

US authorities go after 280 crypto accounts allegedly tied to North Korea   Aug. 27, 2020
Kim Jong Un May Be Using Stolen Crypto to Offset Economic Fallout   May 14, 2020
North Korea Reportedly Using Altcoins to Convert $1.5B in Stolen Funds to Cash   Aug. 7, 2020
North Korea's Lazarus Group masterminded $100M Harmony hack: FBI confirms   Jan. 24, 2023
DeFi enjoys a prolific start to 2023: Finance Redefined   Feb. 3, 2023