A unit of the North Korean state-sponsored hacker Lazarus Group is impersonating financial and investment firms to steal crypto assets.
According to security firm Kaspersky, the group known as BlueNorOff is creating fake domains that look like those of legitimate venture capital and banking companies.
The actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads.”
The firms that the hackers imitate are mostly based in Japan, including Beyond Next Ventures, ANOBAKA, Angel Bridge, ABF Capital, Sumitomo Mitsui Banking Corporation, Mitsubishi UFJ Financial Group and Z Venture, suggesting of BlueNorOff’s interest in Japanese financial entities.
Most of the companies are Japanese companies, indicating the actor has a keen interest in Japanese markets.”
The cybersecurity company says that one of BlueNorOff’s victims appears to be a home financing company based in the United Arab Emirates (UAE). Kaspersky says the infection was made through malware with a Japanese file name, indicating that the target can read Japanese.
Based on the domain naming and decoy documents, we assume, with low confidence, that the entities in Japan are on the radar of this group. In one PowerPoint sample, we observed that the actor took advantage of a Japanese venture capital company.”
