According to Ottawa-based security provider, North Korean hackers were behind a Zoom-themed attack on an unnamed Canadian gambling provider.
Field Effect, a cybersecurity company claimed in a blog post that BlueNoroff, a North Korean threat actor attacked as part of a wider Zoom-themed campaign traced back to at least March of the current year.
On the morning of May 28, the security provider explained that the employees of the gambling firm had scheduled a Zoom meeting on crypto-related matters with a contract they had recently worked with.
The gambling firm employees complained of a variety of audio issues, as well as pop-up warnings during the call. The contact prompted the victim to run a Zoom audio repair tool.
Nonetheless, the interlocutor was a hacker impersonating a known contact.
The tool installer soon started downloading benign software that leveraged legitimate Zoom components, as well as permissible domains.
Yet, Field Effect explained that a closer examination of the script revealed an estimated 10,000 blank lines. A command then follows to download and execute an initial malware script.
Eventually, the gambling firm employees redirected to a Zoom-themed domain that is not connected with the official Zoom platform.
The malware allegedly let the hackers collect sensitive information from the networks of the gambling firm once installed.
These included keychain files, as well as web browser profiles like login data, cookies, history, as well as extension settings.
The hackers’ historical activity and post-exploitation behavior suggest they were targeting crypto, other assets, harvestable credentials, and enterprise data.
The campaign employs a combination of social engineering methods and layered persistence.
The security company said there was a strong likelihood that the hackers wanted to steal coins from the linked crypto wallets of the gambling firm.
It is being claimed by Field Effect that BlueNoroff was a financially motivated subgroup of the Lazarus Group, state-sponsored by North Korea.
