- State-sponsored attackers made convincing fake video calls to target cryptocurrency companies
- A clipboard hijacking trick replaced benign commands with code that deploys malware
- The operation quickly enabled credential theft, persistence, and complete system compromise
Security researchers Arctic Wolf have revealed details of a highly sophisticated campaign targeting North American Web3 and cryptocurrency companies.
It is carried out by state-sponsored threat actors called BlueNoroff, a financially motivated subset of the dreaded North Korean Lazarus Group, with the goal of establishing persistent access on their target’s devices.
They do this by tricking the victim into installing malware on the computers themselves, but the way they do it is quite advanced.
The article continues below
ClicFix has entered the chat
While preparing for the attack, the threat actors would use real high-value people from the Web3 world, generate compelling headshots using ChatGPT, and create semi-animated videos using Adobe Premiere Pro 2021.
They would then create a fake Zoom video call website identical to the actual Zoom call page and would display the video to make it look even more convincing.
BlueNoroff would then invite the actual victim through Calendly, almost half a year into the future (most likely to make it look more convincing – important people are super busy after all).
When the victim clicks on the Zoom link, they see what they’re used to seeing – a video call page with the person on the other end moving and behaving as if they were real. But eight seconds into the call, a message appeared across the screen saying their “SDK is out of date” and presenting them with an “Update Now” button.
The button leads to a typical ClickFix technique – to “fix” the problem, the victim must copy and paste a command. But since many are now aware of these attacks, BlueNoroff takes it a step further – the code being copied is actually legitimate and benign.
However, the fake Zoom site has a malicious JavaScript application embedded that handles the “copy” action, intercepts the clipboard event in the browser and replaces what the user thinks they copied with another code.
This code, if executed, deploys malware on the device which establishes remote access to the system, allows BlueNoroff to exfiltrate credentials, session tokens and other sensitive business data and allows them to move laterally through the network.
“The technical execution chain in this campaign is both efficient and operationally disciplined,” Arctic Wolf said. “From initial URL click to full system compromise, including C2 establishment, Telegram session theft, browser credential harvesting, and persistence, the attacker completed in under five minutes.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
