Microsoft warns that North Korean hacking group BlueNoroff has built a new attack infrastructure on LinkedIn for future social engineering campaigns. This financially motivated threat actor also has a documented history of cryptocurrency theft attacks targeting cryptocurrency company employees.

After selecting their target after initial contact on LinkedIn, BlueNoroff hackers create a backdoor into their systems by distributing malware hidden in malicious documents sent via private messages on various social networks.

Microsoft Threat Intelligence reports that “Sapphire Sleet, a threat actor tracked by Microsoft and known for stealing cryptocurrency through social engineering, has created new websites that appear to be skill assessment portals over the past few weeks, signaling a change in tactics for the persistent actor.” ” told. . experts

“Sapphir Sleet often finds targets on platforms such as LinkedIn and uses the lure of skill assessments. The threat actor then extends successful communication with targets to other platforms.”

In the past, North Korean state hackers have been seen distributing malicious plugins directly or through links to pages hosted on legitimate websites such as GitHub. But Microsoft believes that the rapid detection and removal of malicious malicious files from legitimate online services has encouraged BlueNoroff hackers to create their own websites that can host malicious payloads.

These websites are password protected to prevent attempts at analysis and are disguised as skills assessment portals that direct recruiters to open an account.

Who is BlueNoroff?

Earlier this week, security researchers at Jamf Threat Labs linked BlueNoroff to the new ObjCShellz macOS malware, which is used to backdoor target Macs by opening remote shells on compromised devices.

In recent years, BlueNoroff has been linked to a number of attacks against cryptocurrency startups and financial institutions worldwide, including the US, Russia, China, India, UK, Ukraine, Poland, Czech Republic, UAE, Singapore. Estonia, Vietnam, Malta, Germany and Hong Kong.

Additionally, the FBI stated that the Lazarus and BlueNoroff hacking groups were responsible for the hack of the Ronin Axie Infinity network bridge, the largest crypto breach in history. Attackers stole 173,600 Ethereum tokens and 25.5 million USDC worth more than $617 million.

Four years ago, a United Nations report estimated that North Korean state hackers, including BlueNoroff, stole nearly $2 billion in at least 35 cyberattacks targeting banks and cryptocurrency exchanges in more than a dozen countries.

In 2019, the US Treasury Department also sanctioned BlueNoroff and two other North Korean hacking groups (Lazarus Group and Andariel) for transferring stolen financial assets to the North Korean government. Source