North Korean Hackers Deploy Malware Using Weaponized Calendly and Google Meet Links

The North Korean state-sponsored threat actor group, identified as TA444 (also known as BlueNoroff, Sapphire Sleet, and others), has unleashed a sophisticated malware campaign targeting cryptocurrency foundations.

This intricate attack, uncovered by Huntress, leverages weaponized Calendly links and deceptive Google Meet invitations to deliver a barrage of malicious payloads, specifically designed for macOS systems.

The group, notorious for cryptocurrency theft since at least 2017, employed deepfake technology and social engineering to trick victims into downloading a malicious Zoom extension, initiating a multi-stage intrusion with devastating consequences.

Sophisticated Social Engineering Tactics

The attack began with an employee at a cryptocurrency foundation receiving a seemingly innocuous Telegram message from an external contact requesting a meeting.

A Calendly link, disguised as a Google Meet event, redirected the victim to a fake Zoom domain controlled by the attackers.

Weeks later, during a group meeting featuring deepfakes of senior company leadership, the employee was coerced into downloading a supposed Zoom extension from a malicious URL (hxxps[://]support[.]us05web-zoom[.]biz/troubleshoot-issue-727318).

This extension, an AppleScript named zoom_sdk_support.scpt, opened a legitimate Zoom SDK webpage as a decoy while covertly downloading a secondary payload from the same fraudulent domain.

The script disabled bash history logging, installed Rosetta 2 for compatibility on Apple Silicon Macs, and attempted to harvest user passwords via sudo prompts, meticulously erasing traces of its execution.

Huntress’s technical analysis revealed eight distinct malicious binaries deployed on the victim’s host, showcasing TA444’s advanced capabilities tailored for macOS.

Notable among them is Telegram 2, a persistent implant written in Nim, ensuring hourly execution via a LaunchDaemon.

Another critical component, Root Troy V4 (remoted), a Go-based backdoor, facilitated remote code execution and payload downloads, using encrypted configuration files stored in /Library/Google/Cache/.

The attack also featured InjectWithDyld (a), a C++ loader exploiting Apple’s debugging entitlements for process injection into benign Swift applications, a rare technique on macOS.

Additional implants included XScreen (keyboardd), an Objective-C keylogger capturing keystrokes, clipboard data, and screen content, and CryptoBot (airmond), a Go-based infostealer targeting cryptocurrency wallet extensions across multiple browsers.

These binaries, compiled by four distinct attacker personas, communicated with command-and-control (C2) servers like productnews[.]online and firstfromsep[.]online, transmitting stolen data via encrypted HTTP and WebSocket channels.

This incident underscores the growing threat to macOS environments, often underestimated due to the myth that “Macs don’t get viruses.”

TA444’s use of platform-specific techniques, such as AppleScript and Mach port manipulation for memory injection, highlights the need for robust endpoint protection.

Remote workers, especially in high-risk sectors like cryptocurrency, must remain vigilant against social engineering tactics involving urgent calendar invites or requests to install unfamiliar extensions.

Immediate disconnection and reporting to security teams are crucial upon encountering suspicious indicators like obscure TLDs (.biz, .xyz, .site).

As state-sponsored actors increasingly target macOS with tailored malware, organizations must prioritize comprehensive security measures to safeguard their digital assets against such insidious threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates