BlueNoroff Changed Attack Tactics in 2023 After Its TTPs Were Leaked
The BlueNoroff hacker group, which is associated with the North Korean military, is using RustBucket malware to target macOS systems of users primarily in the United States and Asia – a tactic observed for the first time since the group began operating nearly a decade ago.
BlueNoroff, associated with Bureau 121, the main unit of the North Korean military’s Reconnaissance General Bureau, is one of several North Korean nation-state groups that conduct cyber operations to further the regime’s financial and geopolitical objectives. The U.S. State Department in 2022 offered a $10 million reward for information about BlueNoroff, Andariel, APT38, Guardians of Peace and Lazarus Group.
In February, South Korea announced sanctions against four North Korean individuals and seven organizations, including BlueNoroff, that illegally conducted cyber activities to finance the totalitarian regime’s nuclear and missile development programs (see: South Korea Sanctions Pyongyang Hackers).
BlueNoroff typically embeds Word documents, PDFs or PowerPoint files with malware, using second-stage malware to steal cryptocurrency. Kaspersky researchers discovered last year that the threat group also used optical disk image –
.iso extension – and virtual hard disk –
.vhd extension – file formats to bypass Microsoft Windows’ Mark of the Web security (see: BlueNoroff Hackers Mimic Banks, Bypass Windows Protection).
According to researchers at Paris-based threat intelligence company Sekoia, BlueNoroff began using the RustBucket malware in December 2022 to target systems running macOS, a first for the group. While threat actors have historically targeted Windows and, more recently, Linux operating systems, Apple’s MacOS now runs on 31% of all desktop computers in the United States, making it a more attractive target.
In the hack, the group sends spear-phishing emails to victims, asking them to download a PDF reader and open a specific PDF file that contains information about a venture capital company. The PDF file also contains malicious code that requests the command-and-control server to download the backdoor component of the RustBucket kill chain. The backdoor collects system information and sends it to the C2 using POST requests. Sekoia said the Windows version of RustBucket functions similarly, and the attack chain resembles those of BlueNoroff’s previous campaigns, in which it used LNK, MSI, OneNote and VHD files to plant second-stage malware.
The hacker group changed its attack pattern in 2023 after SecureList published the group’s tactics, techniques and procedures on open-source communities. Sekoia says the group no longer uses VHD and CAB files to bypass the Mark of the Web flag, but used MSI and OneNote files in March to drop and execute malicious code.
The threat intelligence company also found that BlueNoroff set up many typosquatting domains that mimicked the genuine domains of “entities involved in fund management and venture fund, crypto assets and blockchain, located in Europe, Asia and North America.”
“Whether BlueNoroff’s attempt to target these entities or simply masqueraded as those entities to target other individuals and/or organizations remains an intelligence gap,” said Sekoia, adding that BlueNoroff typically targets finance-related institutions.
“Based on typosquatting domains and Sekoia.io-attributed levels of confidence, we identified a strong focus on Asia and the U.S. While this almost certainly stems from the fact that these regions are particularly active in the fintech area, it is also likely part of BlueNoroff’s geographical targeting assignment. We also retrieved domains indicating a targeting of Laos and Thailand,” the company said.