In a recent development in the cryptocurrency space according to a report, malicious hackers have been targeting individuals using a sneaky tactic that initiates with a link being added to the victim's calendar on Calendly, a widely used application for scheduling appointments and meetings. The attackers, posing as established cryptocurrency investors, reach out to their targets and propose a video conference call. However, upon clicking the meeting link provided by these scammers, users unknowingly trigger a script that discreetly installs malware on macOS systems.
A startup seeking investment to develop a new blockchain platform for the Web found itself entangled in this elaborate scam. An individual working at the startup, who will be referred to as Doug for the sake of simplicity, was contacted via Telegram by someone claiming to be Ian Lee from Signum Capital, a reputable investment firm based in Singapore. The imposter expressed interest in financially supporting Doug's venture and proposed a video call to discuss potential investment opportunities. Eager to explore this potential investment, Doug shared his Calendly profile for scheduling the meeting.
When the scheduled meeting time arrived, Doug clicked on the meeting link in his calendar, only to find that nothing happened. Subsequently, the imposter on Telegram informed Doug of a technical issue with the video platform and provided an alternative meeting link. Despite Doug's attempts to join the video call, he encountered continuous technical difficulties. Eventually, after running a script as instructed, the videoconference application failed to launch. The imposter apologised for the inconvenience and suggested rescheduling the meeting, but ceased all communication with Doug thereafter.
Days later, Doug realised the possibility of falling victim to a malware attack during the missed meeting. Upon revisiting the Telegram conversation, he discovered that the imposter had deleted the meeting link and other incriminating evidence from their chat history. The script Doug ran was identified as a simple Apple Script that downloaded and executed a malicious trojan specifically designed to target macOS systems. As a precautionary measure, Doug took steps to secure his data by backing up important documents, changing passwords, and reinstalling macOS on his computer. Unfortunately, this response eliminated any traces of the malware that had been pushed to his Mac.
Although the online host serving the malicious link is now offline, Doug retained a copy of the malevolent script downloaded during the encounter. Further investigation revealed that similar phishing attacks on Telegram were reported by a cryptocurrency security firm, SlowMist, involving North Korean state-sponsored hackers. These hackers utilised the 'Add Custom Link' feature on Calendly event pages to insert malicious links and execute phishing attacks on unsuspecting victims.
The malware distributed by the malicious link was attributed to a North Korean hacking group known as BlueNoroff, identified as a subgroup of the infamous Lazarus hacking group. BlueNoroff primarily targets financial institutions, cryptocurrency businesses, and other entities to steal funds for illicit purposes. The North Korean regime has a history of using stolen cryptocurrencies to finance its military and state projects, with reports estimating that the Lazarus Group alone has purloined around $3 billion in cryptocurrency over the past six years.
While macOS systems are traditionally less susceptible to malware compared to Microsoft Windows PCs, the incidence of information-stealing trojans targeting macOS users is on the rise. Despite the presence of X-Protect, Apple's built-in antivirus technology, experts caution that attackers are continually adapting their malware to evade detection. Recent updates to the XProtect signature database indicate Apple's awareness of the issue, yet attackers have managed to circumvent known signatures, posing a persistent threat to macOS users.
Chris Ueland from Hunt.io highlighted that the fake meeting website Doug visited was associated with approximately 75 different domain names, many of which referenced videoconferencing or cryptocurrency. These domains suggest that the North Korean hacking group operates under various guises, concealing their activities behind seemingly legitimate crypto firms.
The surge in new Mac malware serves as a stark reminder that users should not solely rely on security software to detect malicious files, as these threats are often disguised as legitimate software or bundled with authentic applications. Following a fundamental rule of safety—only install software that you actively sought out—can significantly reduce the risk of falling victim to malware attacks. It is imperative to download software from verified sources and promptly apply any security updates to safeguard against potential vulnerabilities.
In light of this incident, it is advisable to exercise caution when interacting with unknown contacts, especially in the cryptocurrency space where malicious actors frequently target unsuspecting individuals. Verifying the authenticity of new contacts and cross-referencing information from multiple sources can help prevent falling prey to sophisticated phishing schemes. Vigilance and scepticism are key in navigating the treacherous waters of online interactions, particularly in high-risk environments like the cryptocurrency industry.
As the threat landscape continues to evolve, individuals and organisations must remain vigilant and proactive in mitigating potential risks associated with cyber threats. By staying informed, adopting best practices for online security, and exercising discretion in digital interactions, users can fortify their defences against malicious actors seeking to exploit vulnerabilities for financial gain. The incident involving Doug underscores the importance of maintaining a sceptical mindset and verifying the legitimacy of online communications to safeguard against cyber threats in an increasingly interconnected digital world.