CyberSecurity news
FlagThis - #zoom
|
@www.huntress.com
//
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.
Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process. The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A new wave of sophisticated cyberattacks is targeting individuals and organizations, with the threat actor known as ELUSIVE COMET exploiting a little-known Zoom feature to steal millions in cryptocurrency. The attacks leverage Zoom's remote control functionality, initially designed for accessibility, to gain unauthorized access to victims' computers during seemingly legitimate business calls. ELUSIVE COMET, identified by the Security Alliance, has incorporated this feature into their social engineering attacks, targeting individuals within the cryptocurrency community, impersonating venture capital firms, podcast hosts, and even Bloomberg Crypto representatives.
The attack unfolds with attackers contacting potential victims via Twitter DMs or email, inviting them to participate in Zoom video conferences. During screen sharing, the attackers request remote control access while simultaneously changing their display name to "Zoom" to mimic a system notification. If victims, often distracted, grant permission, the attackers gain full control of the computer, enabling them to install malware, exfiltrate sensitive data, or steal cryptocurrency. One notable victim, Jake Gallen, CEO of NFT platform Emblem Vault, reportedly lost around $100,000 and control of his accounts after his computer was compromised using this technique. Security experts are advising users to disable the Zoom remote control feature if it is not needed, as well as the entire Zoom accessibility suite. Trail of Bits, a cybersecurity research firm whose CEO was also targeted, recommends a multi-layered defense strategy. This includes aggressive machine learning prevention settings, mandatory upgrades to the latest macOS versions, hardware security keys for Google Workspace accounts, company-wide password management, and a preference for Google Meet over Zoom due to its stronger security features. Organizations can also deploy Privacy Preferences Policy Control (PPPC) profiles to prevent exploitation of this vulnerability. Recommended read:
References :
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration. Recommended read:
References :
do son@securityonline.info
//
A recent cyberattack campaign has been uncovered, highlighting the use of a malicious Zoom installer to deploy BlackSuit ransomware. Threat actors are exploiting users by distributing a weaponized Zoom installer through a cloned website, ultimately gaining remote desktop protocol (RDP) access to targeted systems. This sophisticated intrusion begins when unsuspecting users download the fake installer, initiating a multi-stage malware deployment.
The malicious installer deploys a loader that downloads additional payloads, including SectopRAT malware, used for reconnaissance and credential harvesting. After a dwell period, threat actors then deploy Brute Ratel and Cobalt Strike for lateral movement across the network. The attackers exfiltrate data and ultimately distribute the BlackSuit ransomware, encrypting files and leaving ransom notes. This incident underscores the evolving tactics of cybercriminals who combine social engineering with advanced malware techniques to evade detection and maximize the impact of their attacks. Recommended read:
References :
|