BlueNoroff Group Activity Detection: Threat Actors Apply Novel Methods to Bypass Windows Mark-of-the-Web (MoTW) Protection

BlueNoroff Group Attack Detection

BlueNoroff, which is part of the larger Lazarus Group, is a financially-motivated hacking collective striving to gain financial benefits from its offensive capabilities. The group, known for stealing cryptocurrency and commonly applying Word documents and LNK files for initial intrusion, has currently been leveraging new adversary methods. In the latest attacks, BlueNoroff experiments with new file types for malware delivery, enabling threat actors to evade Windows Mark-of-the-Web (MoTW) security features.

Detect BlueNoroff’s Malicious Attempts to Bypass Windows MoTW Protection

Backed by strong financial motivation and a series of successful cyber attacks, BlueNoroff APT is expanding the horizons of its offensive capabilities by experimenting with new adversary methods. SOC Prime’s Detection as Code platform is laser-focused on helping cyber defenders stay on top of the cyber threat landscape and proactively defend against emerging threats. At the turn of 2023, the platform released a set of curated Sigma rules to detect the malicious activity of the BlueNoroff group that applied more advanced techniques to evade detection in the latest cyber attacks, including attempts to outsmart Windows MoTW security features. Follow the link below to instantly access these new detections tagged with MITRE ATT&CK® and written by our keen Threat Bounty developers, Aytek Aytemur and Nattatorn Chuensangarun

Sigma rules to detect new methods applied in the latest attacks by the BlueNoroff group

The Sigma rule by Aytek Aytemur detects a suspicious process from rundll32, which executes marcoor.dll, a malicious file associated with the adversary activity of the BlueNoroff group. This detection addresses the Execution tactic with the Command and Scripting Interpreter (T1059) and User Execution (T1204) as its main techniques along with the Defense Evasion tactic with the corresponding System Binary Proxy Execution (T1218) technique.

Two new Sigma rules by Nattatorn Chuensangarun from the above-mentioned list also address the Execution tactic represented by the Command and Scripting Interpreter (T1059) technique. All detection algorithms in the dedicated rule set are compatible with the industry-leading SIEM, EDR, and XDR technologies. 

Cybersecurity researchers and practitioners eager to advance their Detection Engineering skills are welcome to tap into the power of collective cyber defense by contributing their own Sigma rules tagged with MITRE ATT&CK. Join our Threat Bounty Program to see the power of Sigma coupled with ATT&CK in action, code your future CV, and earn recurring financial rewards for your contribution. 

To keep your finger on the pulse of the ever-changing threat landscape and timely identify malicious strains attributed to the BlueNoroff group’s activity, click the Explore Detections button below. This will instantly get you to the comprehensive list of Sigma rules enriched with relevant metadata to accelerate cyber threat investigation and boost your cyber defense capabilities. 

Explore Detections

BlueNoroff Group’s Adversary Activity: Analysis of Behavior Patterns Observed in the Latest Attacks

The North Korean APT BlueNoroff, which represents a subcluster of the infamous Lazarus Group, aka APT38, is recognized in the cyber threat arena as a hacking collective primarily targeting financial organizations to steal cryptocurrency. The classic BlueNoroff’s strategy implies the use of a phishing attack vector aiming to compromise financial entities and intercept the company’s cryptocurrency transfers. 

Cybersecurity researchers have recently observed the adoption of new malicious strains in the group’s adversary toolkit and the use of new file types for more efficient malware delivery. BlueNoroff created over 70 fake domains of venture capital organizations and banks to lure the company’s employees into triggering an infection chain and further enable hackers to gain their financial benefits. The majority of fraudulent domains masquerade as those identifying Japanese financial entities, which indicates the hackers’ rising interest in compromising Japanese organizations in the corresponding industry sector.

In the latest attacks, BlueNoroff experiments with more sophisticated adversary strategies to boost the efficiency of bypassing Windows security capabilities and disrupting cyber defense activities. Threat actors have been observed leveraging multiple scripts, like Visual Basic and Windows Batch, and applying ISO and VHD file formats to spread infection. The group has taken advantage of image files to bypass the Windows MoTW flag and evade detection. The latter is a Windows security feature that displays a warning message when a user attempts to open an unknown or suspicious file downloaded from the web. 

Progressive organizations are adopting the proactive cybersecurity strategy to be fully equipped with cyber defense capabilities and efficiently thwart attacks of any scale by the notorious Lazarus Group. Take advantage of 445 Sigma rules to detect Lazarus APT attacks for free or gain more from 2,400+ detections addressing relevant TTPs with On Demand at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts