BlueNoroff APT Using New Ways to Bypass Windows MotW Protection

[silversurfer]

Content source

https://thehackernews.com/2022/12/bluenoroff-apt-hackers-using-new-ways.html

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

BlueNoroff APT hackers are using new techniques to bypass Windows' Mark of the Web protections, including the use of .ISO and .VHD file formats

thehackernews.com

 

[Andy Ful]

These techniques are new in the arsenal of BlueNoroff group, but they are well known (and seen in the wild) for a long time. The attacks noted in the article were observed in September 2022. Currently, the attack vector via ISO files is not possible due to recent improvements in SmartScreen.

Generally, If the attacker can exploit something or the user manually runs a shortcut or script, then the file can be downloaded from the Internet without a MOTW. I would not call this bypass, but rather an evasion method to avoid SmartScreen.
One can probably call the method via VHD (Virtual Hard Disk) files as a bypass, because even if they are downloaded with MOTW, then after mounting, the files contained in the VHD file do not get MOTW. A similar bypass can be seen when unpacking the downloaded archives (7-ZIP, ZIP, RAR, etc.) by some archiving applications.
See also:
https://malwaretips.com/threads/microsoft-defender-a-possible-future.119569/post-1016864

 

[Andy Ful]

It is possible to avoid the bypass via VHD files as follows:

1. Configure the archiving application (like 7-ZIP) as the default application that opens VHD files.
2. Configure the archiving application to propagate Zone.Id stream.

So, now the VHD files will be opened as an archive (not mounted as a drive) and the embedded files will get MOTW. If one would like to mount the VHD file, then it is still possible by using the "Open with ..." from the right-click Explorer context menu and choosing "Explorer" as the application.