(Credit: 10'000 Hours via Getty Images)
To spread macOS malware, a notorious North Korean hacking group used AI deepfakes to impersonate executives during a video call with their target: an unsuspecting employee.
Cybersecurity vendor Huntress reported the incident on Wednesday, and has linked the attack to "BlueNoroff," a unit of Lazarus, North Korea’s state-sponsored hacking group.
The North Koreans targeted an employee at an unnamed "cryptocurrency foundation," Huntress wrote in a blog post. To do so, the hackers reached out to the employee through the mobile chat app, Telegram. “The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time,” according to Huntress’s investigators.
The Calendly link was designed to redirect the employee to a fake Zoom domain that the North Koreans controlled, giving them a way to orchestrate the AI-powered deepfakes. “Several weeks later, when the employee joined what ended up being a group Zoom meeting, it contained several deepfakes of known senior leadership within their company, along with external contacts,” Huntress’s report says.
“During the meeting, the employee was unable to use their microphone, and the deepfakes told them that there was a Zoom extension they needed to download,” Huntress noted. But in reality, the purported Zoom extension was actually macOS malware hosted over a lookalike, but fake domain at https[://]support[.]us05web-zoom[.]biz.
(Credit: Ilkaydede via Getty Images)The elaborate ruse was likely an effort to steal cryptocurrency, which Lazarus has become known for. The US estimates North Korean hackers stole at least $659 million in cryptocurrency last year.
The malware can target Macs running Apple’s Arm-based chips. In the report, Huntress noted the attack will check if the Mac has Rosetta 2 installed to run x86 programs; if not, the attack will silently install it.
Huntress discovered the malware last week after responding to a call from a company partner about a macOS infection sourced to a malicious Zoom extension. "By the end of our investigation, we recovered 8 different malicious binaries from the victim host,” the cybersecurity vendor said. Together, these binaries were able to backdoor the Mac, and enable the hacker to log keystrokes, conduct screen recording and collect cryptocurrency-related files, among other capabilities.
The incident underscores the lengths North Korean hackers will go to attack targets, especially in the cryptocurrency industry. Huntress noted that remote workers are "often ideal targets." Users on macOS should also be on guard.
“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” the cybersecurity vendor added.