BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector
Contents
Executive Summary
Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group.
Arctic Wolf observed an active malicious intrusion where the threat actor impersonated a reputable figure in the Fintech legal space, using spear-phishing to deliver a manipulated Calendly calendar invite containing a typo-squatted Zoom link. Upon clicking the link, the victim was presented with a fake Zoom meeting interface that covertly exfiltrated their live camera feed to use as a lure in future attacks, while simultaneously deploying a ClickFix-style clipboard injection attack. A multi-stage credential extraction pipeline then plundered info from the victim’s device and browsers, focusing on cryptocurrency wallet extensions.
In this report, we present an end-to-end analysis of the full attack lifecycle used in this campaign, from initial social engineering through to post-exploitation activity. We take a deep dive …
Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group.
Arctic Wolf observed an active malicious intrusion where the threat actor impersonated a reputable figure in the Fintech legal space, using spear-phishing to deliver a manipulated Calendly calendar invite containing a typo-squatted Zoom link. Upon clicking the link, the victim was presented with a fake Zoom meeting interface that covertly exfiltrated their live camera feed to use as a lure in future attacks, while simultaneously deploying a ClickFix-style clipboard injection attack. A multi-stage credential extraction pipeline then plundered info from the victim’s device and browsers, focusing on cryptocurrency wallet extensions.
In this report, we present an end-to-end analysis of the full attack lifecycle used in this campaign, from initial social engineering through to post-exploitation activity. We take a deep dive …
IoC
https://uu03webzoom.us/developer/sdk/update/version/[REDACTED
http://check02id.com
http://thriddata.com
http://www.curio.com
http://check02id.com:7365/hello
http://uu01webzoom.us
https://developers.zoom.us/docs/meeting-sdk
http://188.227.197.32
http://ms-live.us
http://ms-live.com
http://bitlayer.teams-meet.us
http://nubit.teams-live.org
http://zoom.un01web.us
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
http://support.teams-live.org
https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus
http://83.136.208.246:6783
https://uu03webzoom.us/j/8969791763?pwd=
http://teams-live.org
http://api.telegram.org
http://recaptcha.work
https://uu03webzoom.us/developer/sdk/fix/2/version/Ivo55HpFm
http://teams-live.us
https://104.145.210.107:8444/upload
http://gmeet.cam
http://gmeet.us.com
https://api.telegram.org/bot<token
http://thriddata.com/upload
http://teams.livesmeet.us
http://uu03webzoom.us
http://smart-meeting.online
https://securelist.com/bluenoroff-apt-campaigns-fake
http://83.136.208.246
http://83.136.209.22
http://uxlink.mslive.us
http://teams.livesmeets.us
https://83.136.209.22:8444/upload
http://network.mojom
http://104.145.210.107
http://Menu\Programs\Startup.Delete
http://pd.uc05web.us
https://83.136.209.22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441
http://zoom.ue01web.us
http://23.254.226.83
http://web01zoom.com
23.254.226.83
104.145.210.107
83.136.209.22
83.136.208.246
188.227.197.32
EDD0301FFB793169B1314C59C0EF3A98D5793C0441DD43A7C484D61DEB4F107F
dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1
a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08
17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1
6030338469819129924C6E01E110145A128CA3D944CD4B696ABC7925A1840001
db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682
http://check02id.com
http://thriddata.com
http://www.curio.com
http://check02id.com:7365/hello
http://uu01webzoom.us
https://developers.zoom.us/docs/meeting-sdk
http://188.227.197.32
http://ms-live.us
http://ms-live.com
http://bitlayer.teams-meet.us
http://nubit.teams-live.org
http://zoom.un01web.us
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
http://support.teams-live.org
https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus
http://83.136.208.246:6783
https://uu03webzoom.us/j/8969791763?pwd=
http://teams-live.org
http://api.telegram.org
http://recaptcha.work
https://uu03webzoom.us/developer/sdk/fix/2/version/Ivo55HpFm
http://teams-live.us
https://104.145.210.107:8444/upload
http://gmeet.cam
http://gmeet.us.com
https://api.telegram.org/bot<token
http://thriddata.com/upload
http://teams.livesmeet.us
http://uu03webzoom.us
http://smart-meeting.online
https://securelist.com/bluenoroff-apt-campaigns-fake
http://83.136.208.246
http://83.136.209.22
http://uxlink.mslive.us
http://teams.livesmeets.us
https://83.136.209.22:8444/upload
http://network.mojom
http://104.145.210.107
http://Menu\Programs\Startup.Delete
http://pd.uc05web.us
https://83.136.209.22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441
http://zoom.ue01web.us
http://23.254.226.83
http://web01zoom.com
23.254.226.83
104.145.210.107
83.136.209.22
83.136.208.246
188.227.197.32
EDD0301FFB793169B1314C59C0EF3A98D5793C0441DD43A7C484D61DEB4F107F
dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1
a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08
17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1
6030338469819129924C6E01E110145A128CA3D944CD4B696ABC7925A1840001
db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682