About Arctic Wolf
Cybersecurity experts at Arctic Wolf have disclosed information about an advanced campaign attacking North American Web3 and cryptocurrency organizations. State-sponsored group BlueNoroff launched the attack campaign, it is a financially motivated gang associated with the infamous North Korean Lazarus Group. The aim is to make persistent access on the victim device.
The gang does this by fooling the victim into deploying malware on the systems; however, their tactic is quite advanced.
The discovery
Arctic Wolf found an active malicious intrusion in which the threat actor used spear-phishing to send an altered Calendly calendar invite with a typo-squatted Zoom link while posing as a respectable person in the Fintech legal industry. When the victim clicked the link, they were shown a phony Zoom meeting interface that simultaneously launched a ClickFix-style clipboard injection attack and secretly exfiltrated their live camera feed to use as a lure in subsequent attacks.
After that, information was stolen from the victim’s device and browsers via a multi-stage credential extraction pipeline that concentrated on cryptocurrency wallet extensions.v
Now enters ClickFix
Now enters ClickFix
While launching the attack campaign, the hackers use real, high-profile people from the Web3 world, create fake headshots (that look real) via ChatGPT, and generate animated videos via Adobe Premiere Pro.
After this, the hackers would make a fake Zoom video call website similar to the actual Zoom call page, and would show the video to make it all look real.
Attack tactic
After this, BlueNoroff gang would invite the actual victim via Calendly, six months prior (to make it all look real and convincing) as prominent people are busy.
Once the victim opens the Zoom link, they see the usual: a video call webpage with the user on the other side moving and acting like they are real people (remember they are all fake sem-animated video)but, after eight seconds on call, a notification comes up, saying their “SDK is deprecated” and showing users “Update Now” option.
“The technical execution chain in this campaign is both efficient and operationally disciplined. From initial URL click to full system compromise, including C2 establishment, Telegram session theft, browser credential harvesting, and persistence, the attacker completed in under five minutes,” Arctic Wolf said.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: