BlueNoroff APT Using New Ways to Bypass Windows MotW Protection

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://thehackernews.com/2022/12/bluenoroff-apt-hackers-using-new-ways.html
BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.
Click to expand...
map.png
Click to expand...
thehackernews.com

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

BlueNoroff APT hackers are using new techniques to bypass Windows' Mark of the Web protections, including the use of .ISO and .VHD file formats
thehackernews.com thehackernews.com
 
  • +Reputation
  • Wow
  • Like
Reactions: simmerskool, piquiteco, Andy Ful and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
These techniques are new in the arsenal of BlueNoroff group, but they are well known (and seen in the wild) for a long time. The attacks noted in the article were observed in September 2022. Currently, the attack vector via ISO files is not possible due to recent improvements in SmartScreen.

Generally, If the attacker can exploit something or the user manually runs a shortcut or script, then the file can be downloaded from the Internet without a MOTW. I would not call this bypass, but rather an evasion method to avoid SmartScreen.
One can probably call the method via VHD (Virtual Hard Disk) files as a bypass, because even if they are downloaded with MOTW, then after mounting, the files contained in the VHD file do not get MOTW. A similar bypass can be seen when unpacking the downloaded archives (7-ZIP, ZIP, RAR, etc.) by some archiving applications.
See also:
https://malwaretips.com/threads/microsoft-defender-a-possible-future.119569/post-1016864
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, simmerskool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
It is possible to avoid the bypass via VHD files as follows:
  1. Configure the archiving application (like 7-ZIP) as the default application that opens VHD files.
  2. Configure the archiving application to propagate Zone.Id stream.
So, now the VHD files will be opened as an archive (not mounted as a drive) and the embedded files will get MOTW. If one would like to mount the VHD file, then it is still possible by using the "Open with ..." from the right-click Explorer context menu and choosing "Explorer" as the application. (y)
 
  • Like
  • +Reputation
Reactions: Victor M, Gandalf_The_Grey, harlan4096 and 3 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • +Reputation
    • Like
Security News ScarCruft APT Group Gears Up to Target Cybersecurity Pros
Replies
0
Views
1,198
Security News
vtqhtr413
vtqhtr413
silversurfer
    • +Reputation
    • Like
Malware News New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion
Replies
0
Views
1,112
Security News
silversurfer
silversurfer
silversurfer
    • Like
    • Wow
    • +Reputation
Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable
Replies
8
Views
1,599
News Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top