- State-sponsored attackers have crafted convincing fake video calls to target cryptocurrency companies.
- Clipboard hijacking trick replaced harmless commands with malware-deploying code
- The operation enabled rapid credential theft, persistence, and complete system compromise.
Security researchers Arctic Wolf have revealed details of a highly sophisticated campaign targeting North American Web3 and cryptocurrency companies.
It is carried out by state-sponsored malicious actors called BlueNoroff, a financially motivated subgroup of the feared North Korean Lazarus group, with the aim of establishing persistent access to their target’s devices.
They do this by tricking the victim into installing malware on computers themselves, but the way they do this is quite advanced.
Article continues below
ClicFix entered the chat
While preparing the attack, the threat actors would use high-value real people from the Web3 world, generate convincing portraits using ChatGPT, and create semi-animated videos using Adobe Premiere Pro 2021.
They would then create a fake Zoom video call website identical to the real Zoom call page and display the video to make it even more convincing.
BlueNoroff would then invite the actual victim via Calendly, almost six months later (most likely to make it more convincing – important people are, after all, very busy).
When the victim clicks on the Zoom link, they see what they are used to seeing: a video call page with the person on the other side moving and acting as if they were real. However, eight seconds into the call, a message appeared on the screen stating that their “SDK is out of date” and presenting them with an “Update Now” button.
The button leads to a typical ClickFix technique: to “fix” the problem, the victim must copy and paste a command. But as many are now aware of these attacks, BlueNoroff goes one step further: the copied code is actually legitimate and harmless.
However, the fake Zoom website embeds a malicious JavaScript application that handles the “copy” action, intercepts the clipboard event in the browser, and replaces what the user thinks they copied with different code.
This code, if executed, deploys malware on the device that establishes remote access to the system, allows BlueNoroff to exfiltrate credentials, session tokens, and other sensitive business data, and gives them the ability to move laterally across the network.
“The technical execution chain for this campaign is both operationally efficient and disciplined,” Arctic Wolf said. “From the initial click on the URL to the complete compromise of the system, including establishing C2, Telegram session theft, harvesting browser credentials, and persistence, the attacker was finished in less than five minutes.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
