Mark-of-the-Web bypass

The BlueNoroff APT group has adopted methods to bypass the Mark-of-the-Web mechanism

BlueNoroff bypasses Mark-of-the-Web

Usually, when a user tries to read an office document that has been emailed or downloaded from a website, Microsoft Office opens it in protected mode. It does this using Mark-of-the-Web (MOTW), one of Windows’ default protection mechanisms. It marks files that appeared on your PC from the internet, so that applications know their source and can draw the user’s attention to potential danger. However, blindly relying on the effectiveness of such a warning mechanism is probably a bad idea since, of late, many attackers have begun to use methods to bypass MOTW. For example, when our experts were recently studying the tools of the BlueNoroff group (which is thought to be part of the Lazarus group), they discovered that it is employing new tricks for deceiving the operating system.

How BlueNoroff bypasses the MOTW mechanism

The Mark-of-the-Web mechanism works as follows: as soon as a user (or program) downloads a file from the net, the NTFS file system affixes a “from the internet” attribute to it. But this attribute is not always acquired. When you download an archive, all files inside get this attribute. However, an archive is far from the only way to transfer a file indirectly.

The attackers behind the BlueNoroff group have begun experimenting with using new file types to deliver malicious documents. On some occasions they employ the .iso format, commonly used for storing optical disc images. The other option is a .vhd file that usually contains a virtual hard drive. In other words, they hide the real attack payload — a decoy document and a malicious script — inside the image or virtual drive.

A more detailed technical description of updated BlueNoroff tools and methods, as well as indicators of compromise, can be found in our experts’ post on the Securelist blog.

Who are BlueNoroff and what are they hunting for

At the beginning of this year, we already wrote about the SnatchCrypto campaign aimed at stealing cryptocurrencies. Based on a number of signs, our researchers believe that it’s the same BlueNoroff group that’s behind it. The activity observed today is also aimed primarily at obtaining financial gain. Actually, the final stage of the attack has remained the same — the criminals install a backdoor on the infected computer.

The BlueNoroff group has registered many domains that imitate venture capital and investment companies, as well as large banks. Judging by the names of the banks, as well as by the decoy documents used by the attackers, they’re currently primarily interested in targets that speak Japanese. However, at least one victim of the group was found in the UAE. As practice shows, BlueNoroff is interested primarily in businesses related to cryptocurrencies, as well as financial companies.

How to stay safe?

First of all, it’s worth abandoning the illusion that default protective mechanisms built into the OS are enough keep your company safe. The Mark-of-the-Web mechanism cannot protect against an employee opening a file received from the internet and running a malicious script. In order for your company not to fall victim to the attacks of BlueNororff and similar APT groups, our experts recommend as follows:

  • installing modern security solutions on all working devices — they’ll prevent scripts being run from malicious files;
  • keeping your employees aware of modern cyberthreats — properly organized training will help them not fall for the bait of attackers;
  • using EDR class security solutions, and, if necessary, employing Managed Detection and Response services — they’ll allow timely detection of malicious activity in the corporate network and help stop an attack before real damage is done.