FlagThis - #Huntress

The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.

Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process.

The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff.


References :

• Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
• The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
• Blog: Zoom & doom: BlueNoroff call opens the door
• www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
• www.csoonline.com: North Korea’s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls. In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
• Virus Bulletin: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
• securityonline.info: North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
• cyberpress.org: The Field Effect Analysis team has uncovered a highly sophisticated cyberattack campaign tied to the North Korea-aligned BlueNoroff advanced persistent threat (APT) group, where actors weaponize the Zoom videoconferencing platform as a vector for delivering infostealer malware.
• gbhackers.com: The Field Effect Analysis team has uncovered a targeted social engineering campaign orchestrated by the North Korean state-sponsored threat actor BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.

Classification:

• HashTags: #BlueNoroff #macOSMalware #Web3Security
• Company: Huntress
• Target: Cryptocurrency professionals
• Attacker: BlueNoroff
• Product: Zoom
• Feature: fake Zoom calls
• Malware: NodeInitRAT
• Type: Malware
• Severity: Major