- State-sponsored attackers created convincing fake video calls to target cryptocurrency companies
- Clipboard hijacking hack replaced benign commands with malware deployment code
- The operation enabled rapid credential theft, persistence, and full system compromise.
Security researchers Arctic Wolf have revealed details of a highly sophisticated campaign targeting North American Web3 and cryptocurrency companies.
It is carried out by state-sponsored threat actors called BlueNoroff, a financially motivated subgroup of North Korea’s feared Lazarus Group, with the goal of establishing persistent access on their target’s devices.
They do this by tricking the victim into installing malware on the computers themselves, but the way they do it is quite advanced.
Article continues below.
ClicFix has entered the chat
While preparing for the attack, the threat actors would use real, high-value people from the Web3 world, generate convincing portraits using ChatGPT, and create semi-animated videos using Adobe Premiere Pro 2021.
They would then create a fake Zoom video calling website identical to the real Zoom calling page and display the video to make it look even more convincing.
BlueNoroff would then invite the real victim via Calendly, almost half a year in the future (most likely looking more convincing; important people are very busy, after all).
When the victim clicks on the Zoom link, they see what they are used to seeing: a video call page with the person on the other end moving and acting as if it were real. However, eight seconds into the call, a message appeared on the screen stating that their “SDK is obsolete” and presented them with an “Update Now” button.
The button leads to a typical ClickFix technique: to “fix” the problem, the victim needs to copy and paste a command. But since many are already aware of these attacks, BlueNoroff goes a step further: the code that is copied is actually legitimate and benign.
However, the fake Zoom website has a built-in malicious JavaScript application that handles the “copy” action, intercepts the clipboard event in the browser, and replaces what the user thinks they copied with different code.
That code, if executed, deploys malware on the device that establishes remote access to the system, allows BlueNoroff to leak credentials, session tokens, and other sensitive business data, and gives them the ability to move laterally across the network.
“The technical execution chain in this campaign is efficient and operationally disciplined,” Arctic Wolf said. “From the initial click on the URL to the full system compromise, including establishing C2, stealing Telegram sessions, harvesting browser credentials and persistence, the attacker completed in less than five minutes.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
