Ultimately, it elevates the level of trust sufficiently for the document to be opened. This works even better for the attacker, because the original email and the attachment appear to have already been checked by the forwarding party.
Jumpshare chrome extension Offline#
We opened the email on an offline system if the system had been connected to the internet, there would be a real icon for a Google document loaded from a third-party tracking server that immediately notifies the attacker that the target opened the email.īut we also observed a slightly more elaborate approach of an email being forwarded from one colleague to another. Note the tiny “X” image – it’s an icon for an image that failed to load. In a simple scenario, it can appear as a notification of a shared document via Google Drive from one colleague/friend to another: BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.
A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion.
This lets them mount high-quality social engineering attacks that look like totally normal interactions. The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.Īccording to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups.
Jumpshare chrome extension update#
Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust. The group is currently active (recent activity was spotted in November 2021). We reported about the first variant of such software back in 2018, but there were many other samples to be found, which was later reported by the US CISA (Cybersecurity and Infrastructure Security Agency) in 2021. These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates. It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. See our earlier publication about BlueNoroff attacks on the banking sector.Īlso, we have previously reported on cryptocurrency-focused BlueNoroff attacks. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016.
0 kommentar(er)
