North Korean hackers targeting Japanese financial firms with new malware

A new report from cybersecurity firm Kaspersky has uncovered a new hacking spree linked to notorious North Korean hackers using malware.

The report identified BlueNoroff, an arm of the state-sponsored Lazarus Group, as the principal suspect behind the recent attacks. BlueNoroff’s main targets appear to be digital asset startups, commercial banks, and venture capitalist (VC) firms in Europe and the Far East.

Kaspersky’s researchers note that BlueNoroff has been under the radar for most of the year, but in the last quarter, the group showed signs of activity. BlueNoroff created nearly 80 fake websites, mimicking popular VC firms and financial institutions, with the majority of sites focused on Japanese companies.

“The actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads,” said Kaspersky. “Most of the companies are Japanese companies, indicating the actor has a keen interest in Japanese markets.”

BlueNoroff’s latest attacks have shown a strong capability of bypassing Mark-of-the-Web by expanding file types and tweaking its latching strategies. Once access has been obtained, the malware interrupts digital asset transfers by changing the recipient’s address.

The report indicates that BlueNoroff’s malware can “push the transfer amount to the limit, essentially draining the account in a single transaction.”

It is unclear why Japanese firms are the hacking group’s target, especially given Japan’s expansive cybersecurity infrastructure tradition. Kaspersky notes that the hacking gang has been prolific, “stealing cryptocurrency worth millions” in the few months they began operations.

North Korean hackers have risen to notoriety in 2022 for their daring attacks on the virtual currency industry, stealing billions along the way. South Korea’s Intelligence Department blamed the state-sponsored hacking gangs for stealing over $600 million, while several post-mortems have fingered the country for security breaches.

Lazarus Group has been accused of participating in the hack of Axie Infinity that cost the platform losses of $620 million, which forced the United States Treasury’s Office of Foreign Assets Control (OFAC) to place the gang on the Specially Designated Nationals and Blocked Persons List (SDN List).

“Through our investigations, we were able to confirm Lazarus Group and APT38, cyber actors associated with North Korea, are responsible for the theft,” said the Federal Bureau of Investigation (FBI).

North Korea has turned its attention to cybercrime in the hopes of raising its foreign currency reserves amid stifling economic sanctions. Aspiring hackers are scouted around the country, with some sent to China for vocational training and others trained in North Korean universities.

Watch: The BSV Global Blockchain Convention presentation, Sentinel Node: Blockchain Tools to Improve Cybersecurity