BlueNoroff introduces new methods bypassing MoTW
2022-12-27 • Kaspersky •
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
Kaspersky reported that BlueNoroff, a financially motivated North Korea-linked actor, adopted new delivery methods to bypass Windows Mark-of-the-Web warnings. The campaign used ISO and VHD files, Visual Basic Script, Windows Batch files, executables, and MSI-based stages alongside familiar Word-document and LNK intrusion paths. Observed activity included a UAE victim reached through a malicious Word document, follow-on backdoor use for host fingerprinting and privileged malware installation, and shortcut archives such as a Japanese “new bonus schedule” lure. Infrastructure analysis found more than 70 domains, many impersonating venture-capital firms and banks, indicating sustained interest in Japanese financial and cryptocurrency-related targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | ms.msteam.biz | 2022-12-27 | 2023-06-06 |
| IPv4 | 155.138.159.45 | 2022-12-27 | 2023-06-06 |
| IPv4 | 104.168.174.80 | 2022-12-27 | 2023-05-22 |
| IPv4 | 149.28.247.34 | 2022-12-27 | 2023-05-22 |
| IPv4 | 152.89.247.87 | 2022-12-27 | 2023-05-22 |
| IPv4 | 172.86.121.130 | 2022-12-27 | 2023-05-22 |
| HASH | d8f6290517c114e73e03ab30165098f6 | 2022-12-27 | 2022-12-27 |
| HASH | 21e9ddd5753363c9a1f36240f989d3a9 | 2022-12-27 | 2022-12-27 |
| HASH | f766f97eb213d81bf15c02d4681c50a4 | 2022-12-27 | 2022-12-27 |
| HASH | 087407551649376d90d1743bac75aac8 | 2022-12-27 | 2022-12-27 |
| HASH | 1e3df8ee796fc8a13731c6de1aed0818 | 2022-12-27 | 2022-12-27 |
| HASH | 4c0fb06320d1b7ecf44ffd0442fc10ed | 2022-12-27 | 2022-12-27 |
| HASH | ef3179d498793bf4234f708d3be28633 | 2022-12-27 | 2022-12-27 |
| HASH | 0b4340ed812dc82ce636c00fa5c9bef2 | 2022-12-27 | 2022-12-27 |
| HASH | 61a227bf4c5c1514f5cbd2f37d98ef5b | 2022-12-27 | 2022-12-27 |
| HASH | da9f0e7dc6c52044fa29bea5337b479… | 2022-12-27 | 2022-12-27 |
| HASH | d3503e87df528ce3b07ca6d94d1ba9fc | 2022-12-27 | 2022-12-27 |
| URL | http://avid.lno-prima.lol/Nafqh… | 2022-12-27 | 2022-12-27 |
| URL | https://www.angelbridge.jp | 2022-12-27 | 2022-12-27 |
| URL | https://docs.azure-protection.c… | 2022-12-27 | 2022-12-27 |
| URL | http://offerings.cloud/NafqhbXR… | 2022-12-27 | 2022-12-27 |
| URL | https://www.abf-cap.com | 2022-12-27 | 2022-12-27 |
| URL | https://www.capmarketreport.com… | 2022-12-27 | 2022-12-27 |
| DOMAIN | abf-cap.co | 2022-12-27 | 2022-12-27 |
| DOMAIN | offerings.cloud | 2022-12-27 | 2022-12-27 |
| DOMAIN | smbc-vc.com | 2022-12-27 | 2022-12-27 |
| DOMAIN | beyondnextventures.co | 2022-12-27 | 2022-12-27 |
| DOMAIN | tptf.co | 2022-12-27 | 2022-12-27 |
| DOMAIN | vote.anobaka.info | 2022-12-27 | 2022-12-27 |
| DOMAIN | cloud.beyondnextventures.co | 2022-12-27 | 2022-12-27 |
| DOMAIN | bankofamerica.us.org | 2022-12-27 | 2022-12-27 |
| DOMAIN | beyondnextventures.com | 2022-12-27 | 2022-12-27 |
| IPv4 | 104.168.249.50 | 2022-12-27 | 2022-12-27 |
| HASH | a17e9fc78706431ffc8b3085380fe29f | 2022-11-29 | 2022-12-27 |
| HASH | 931d0969654af3f77fc1dab9e2bd66b1 | 2022-11-29 | 2022-12-27 |
| URL | https://docs.azure-protection.c… | 2022-11-29 | 2022-12-27 |