Skip to content
Threat Feed
high threat

BlueNoroff Targeting Web3 Sector via Spear Phishing

BlueNoroff, a subgroup of the Lazarus Group, is targeting North American Web3 companies through spear-phishing campaigns, impersonating Fintech legal professionals.

Arctic Wolf identified a targeted intrusion campaign against a North American Web3/cryptocurrency company, attributing it to BlueNoroff, a financially motivated subgroup of the Lazarus Group. The attackers impersonated a reputable figure in the Fintech legal space to conduct spear-phishing. This campaign highlights the group’s continued interest in cryptocurrency-related targets and their evolving social engineering tactics. The use of impersonation tactics suggests a high level of sophistication and research into the target organization and its industry. Defenders should be aware of the potential for similar campaigns targeting other organizations in the Web3 sector.

Attack Chain

  1. Initial contact is established through spear-phishing emails, impersonating a figure in the Fintech legal space.
  2. The victim opens the malicious attachment or clicks the link within the spear-phishing email.
  3. The payload is executed, potentially involving fileless PowerShell techniques.
  4. The PowerShell script executes to download and run subsequent stages of the attack.
  5. Lateral movement may occur if the initial compromise is successful.
  6. The attackers look for sensitive data related to cryptocurrency holdings or private keys.
  7. Exfiltration of compromised data to attacker-controlled infrastructure.

Impact

A successful BlueNoroff intrusion can lead to significant financial losses for the targeted Web3 organization. This includes theft of cryptocurrency assets, intellectual property, and sensitive financial data. The North American Web3/cryptocurrency sector is directly impacted. Further, reputational damage and legal liabilities can arise from data breaches.

Recommendation

  • Deploy the Sigma rule to detect PowerShell execution with suspicious arguments indicative of fileless execution, focusing on encoded commands or download cradles.
  • Monitor email traffic for spear-phishing attempts impersonating known figures in the Fintech legal space targeting employees.
  • Implement multi-factor authentication (MFA) on all critical systems to reduce the risk of account compromise.

Detection coverage 2

Detect PowerShell Download Cradle

high

Detects PowerShell executing a download cradle, which downloads and executes code from a remote URL.

sigma tactics: execution, initial_access techniques: T1059.001, T1190 sources: process_creation, windows

Detect Suspicious PowerShell Encoded Command

high

Detects PowerShell execution with encoded command option, a common technique for obfuscating malicious code.

sigma tactics: defense_evasion, execution techniques: T1059.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →