@www.huntress.com
//
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.
Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process.
The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff.
References :
- Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
- The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
- Blog: Zoom & doom: BlueNoroff call opens the door
- www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
- www.csoonline.com: North Korea’s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls. In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
- Virus Bulletin: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
- securityonline.info: North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft
- cyberpress.org: The Field Effect Analysis team has uncovered a highly sophisticated cyberattack campaign tied to the North Korea-aligned BlueNoroff advanced persistent threat (APT) group, where actors weaponize the Zoom videoconferencing platform as a vector for delivering infostealer malware.
- gbhackers.com: The Field Effect Analysis team has uncovered a targeted social engineering campaign orchestrated by the North Korean state-sponsored threat actor BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.
Classification:
- HashTags: #BlueNoroff #macOSMalware #Web3Security
- Company: Huntress
- Target: Cryptocurrency professionals
- Attacker: BlueNoroff
- Product: Zoom
- Feature: fake Zoom calls
- Malware: NodeInitRAT
- Type: Malware
- Severity: Major
Bill Toulas@BleepingComputer
//
A new wave of sophisticated cyberattacks is targeting individuals and organizations, with the threat actor known as ELUSIVE COMET exploiting a little-known Zoom feature to steal millions in cryptocurrency. The attacks leverage Zoom's remote control functionality, initially designed for accessibility, to gain unauthorized access to victims' computers during seemingly legitimate business calls. ELUSIVE COMET, identified by the Security Alliance, has incorporated this feature into their social engineering attacks, targeting individuals within the cryptocurrency community, impersonating venture capital firms, podcast hosts, and even Bloomberg Crypto representatives.
The attack unfolds with attackers contacting potential victims via Twitter DMs or email, inviting them to participate in Zoom video conferences. During screen sharing, the attackers request remote control access while simultaneously changing their display name to "Zoom" to mimic a system notification. If victims, often distracted, grant permission, the attackers gain full control of the computer, enabling them to install malware, exfiltrate sensitive data, or steal cryptocurrency. One notable victim, Jake Gallen, CEO of NFT platform Emblem Vault, reportedly lost around $100,000 and control of his accounts after his computer was compromised using this technique.
Security experts are advising users to disable the Zoom remote control feature if it is not needed, as well as the entire Zoom accessibility suite. Trail of Bits, a cybersecurity research firm whose CEO was also targeted, recommends a multi-layered defense strategy. This includes aggressive machine learning prevention settings, mandatory upgrades to the latest macOS versions, hardware security keys for Google Workspace accounts, company-wide password management, and a preference for Google Meet over Zoom due to its stronger security features. Organizations can also deploy Privacy Preferences Policy Control (PPPC) profiles to prevent exploitation of this vulnerability.
References :
- cyberinsider.com: Zoom’s Remote Control Feature Exploited in ELUSIVE COMET Attacks
- Cyber Security News: Zoom Remote Control Feature Exploited to Access Victims’ Computers—with Permission
- www.helpnetsecurity.com: The Zoom attack you didn’t see coming
- cyberpress.org: Zoom Remote Control Feature Exploited to Access Victims’ Computers—with Permission
- Cyber Security News: Hackers Leverage Zoom’s Remote Control Feature to Gain Users’ System Access
- Risky.Biz: Risky Bulletin: Zoom has a remote control feature and crypto thieves are abusing it
- Risky Business Media: Risky Bulletin: Crypto-thieves abuse Zoom's remote control feature
- CyberInsider: Zoom’s Remote Control Feature Exploited in ELUSIVE COMET Attacks
- cybersecuritynews.com: Hackers Leverage Zoom’s Remote Control Feature to Gain Users’ System Access
- bsky.app: Newsletter: https://news.risky.biz/risky-bulletin-zoom-has-a-remote-control-feature-and-crypto-thieves-are-abusing-it/ -Crypto-thieves abuse secret Zoom remote control feature
- ciso2ciso.com: CISO2CISO reports on North Korean Cryptocurrency Thieves Caught Hijacking Zoom
- BleepingComputer: Hackers abuse Zoom remote control feature for crypto-theft attacks
- www.scworld.com: Zoom Remote feature exploited in North Korean crypto theft operations
- www.bleepingcomputer.com: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- The DefendOps Diaries: The 'Elusive Comet' Cyber Threat: A Deep Dive into Cryptocurrency Attacks
- bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines. https://www.bleepingcomputer.com/news/security/hackers-abuse-zoom-remote-control-feature-for-crypto-theft-attacks/
- BleepingComputer: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- Anonymous ???????? :af:: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- SecureWorld News: Hackers Exploit Zoom's Remote Control Feature in Cryptocurrency Heists
- BleepingComputer: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- Malware ? Graham Cluley: Smashing Security podcast #414: Zoom.. just one click and your data goes boom!
- Malwarebytes: Zoom attack tricks victims into allowing remote access to install malware and steal money
- www.itpro.com: Hackers are using Zoom’s remote control feature to infect devices with malware
- malware.news: Zoom attack tricks victims into allowing remote access to install malware and steal money
- bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
- hackread.com: Hackers Use Zoom Remote-Control to Steal Crypto
- blog.trailofbits.com: Experts observed an ongoing Elusive Comet campaign targeting individuals interested in cryptocurrency through the remote control feature in Zoom.
- Smashing Security: Graham explores how the Elusive Comet cybercrime gang are using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call, and Carole goes under the covers to explore the extraordinary lengths bio-hacking millionaire Bryan Johnson is attempting to extend his life.
- The Register - Security: Elusive Comet is using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call.
Classification:
|
|
FlagThis - #zoom
