A cybercrime group out of North Korea is impersonating venture capital firms in Japan, the United States and other countries, sister brand SC Media reports.
Kaspersky released a report Tuesday, identifying the group as “BlueNoroff;” others dub it “HiddenCobra.” Regardless of name, the goal is to spearphish startup employees and related businesses. The group registered at least 70 web domains over the last year mimicking the websites of real venture capital firms in Japan and other financial institutions, delivering malware to targeted victims lured by several decoy documents that include fake job offers.
“The actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads. They also created fake domains disguised as legitimate companies in the financial industry and investment companies,” wrote Seongsu Park, lead security researcher at Kaspersky.
Who's behind the attacks?
The group appears primarily interested in Japanese businesses, targeting local venture capital firms like Beyond Next Ventures, Z Venture Capital and ABF Capital. They also impersonated a Taiwanese venture capital fund as well as financial institutions like Bank of America, the Sumitomo Mitsui Banking Corporation and the Mitsubishi UFJ Financial Group.
Kaspersky places BlueNoroff as part of Lazarus Group – an umbrella term that describes a loose network of financial and espionage-focused hacking teams typically working on behalf of the North Korean government. The group is best known for stealing more than $80 in 2016 after breaking into SWIFT transfer payments used by the Bank of Bangladesh.