- Cybercriminals invite victims to speak to “journalists”
- On the call of Zoom, they are invited to grant authorizations for remote access
- Those who grant authorizations lose their crypto
Pirates abuse Zoom’s remote desktop function to steal people’s cryptocurrency, experts warned.
Cybersecurity researchers Trail of Bits claim to have seen the attack in the wild, focusing on “high -value targets”, people that the media would often contact for comments and discussions on daily events. The attackers tender their hands via social media (X, for example), and would send them an invitation from a zoom via carying, pretending to be Bloomberg journalists.
On Zoom, the attackers would join an account named “Zoom” and asked for a remote control on the victim’s account. The victims would see a contextual window saying “Zoom asks for a remote control of your screen” which, for those who are used to granting authorizations without thinking twice, might seem a legitimate demand for a legitimate application.
Comet
“What makes this attack particularly dangerous is the similarity of authorization dialogue with other harmless zoom notifications,” said Trail of Bits.
“Users accustomed to click on” Approve “on zoom prompts can grant complete control of their computer without making the implications.”
Once the access has been granted, the attackers move quickly, deploy a furtive stolen door or other ways to keep access, then disconnected from the call.
The last step is to use malware to access the victim’s cryptocurrency portfolios and siphon on all funds found inside.
The researchers named the group “elusive Comet” and declared that the methodology is probably copied from Lazarus, the infamous entity sponsored by the North Korean state which targets cryptographic companies.
“The elusive Comet methodology reflects the techniques behind the recent $ 1.5 billion hack in February, where the attackers manipulated legitimate workflows rather than exploiting the code vulnerabilities,” said Trail of Bits in his report.
To mitigate the risk, it would be preferable not to give people or applications to remote access, unless you are certain that the person is benign.
Via Bleeping Compompute
