BlueNoroff

  • First known sample

    2016
  • Discovery

    2017
  • Current status

    Active
  • Type

    Backdoor
  • Targeted platforms

    Windows
  • TOP targeted countries

    Australia , India , Mexico , Norway , Peru , Poland , Russia
  • Connected attacks

  • The way of propagation

    Watering hole attacks
  • Purpose/Functions

    Stealing money
  • Special features
    Bluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse engineering skills because they spend time tearing apart legitimate software, and implementing patches for SWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different and they aren’t exactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug the problem. They are field engineers that come when the ground is already cleared after conquering new lands.
  • Targets

    Financial institutions
  • Artefacts/Attribution
    One short connection was made from a very unusual IP range, which originates in North Korea.
  • Description

    A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs. This actor was linked to major financial attacks, including the Bangladesh Central Bank heist.

    Additional information