BlueNoroff's latest campaigns: GhostCall and GhostHire
Contents
Introduction
Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.
GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites. The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourage the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that …
Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.
GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites. The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourage the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that …
IoC
http://instant-update.online
http://download.datatabletemplate.xyz
https://filedrive.online/uploadfiles
https://chkactive.online/update
http://support.video-meeting.online
http://web.commoncome.online:8080/client
http://safeupload.online
http://second.awaitingfor.online
http://root.security-update.xyz
http://safefor.xyz
http://firstfromsep.online/client
http://check.datatabletemplate.shop
http://secondshop.online
http://web071zoom.us/fix/audio-tr/7217417464
https://api.flashstore.sbs/test
https://safeup.store/test
http://dataupload.store
http://secondshop.store
https://file-server.store/update
https://urgent-update.cloud/uploadfiles
https://download.datatabletemplate.xyz/account/register/id=8118555902061899&secret=QwLoOZSDakFh
http://104.168.214.151
https://dataupload.store/uploadfiles
http://system.updatecheck.store
http://signsafe.xyz
http://download.face-online.world
http://root.chkstate.online
http://botsc.autoupdate.xyz
http://first.system-update.xyz
https://support.ms-live.us/update/02583235891M49FYUN57
https://api.clearit.sbs/test
https://api.flashstore.sbs/uploadfiles
http://web071zoom.us/fix/audio/4542828056
http://second.systemupdate.cloud
http://signsafe.xyz/update
http://first.longlastfor.online:8080/client
http://signsafe.site
http://image-support.xyz
https://safeupload.online/uploadfiles
https://bots.autoupdate.online:8080/test
http://readysafe.xyz
https://support.ms-live.us/register/22989524464UcX2b5w52
https://writeup.live/test
http://pre.alwayswait.site
https://api.clearit.sbs/uploadfiles
http://web071zoom.us/fix/audio-fv/7217417464
http://swissborg.blog
https://flashserve.store/update
http://second.systemupdate.cloud/client
http://real-update.xyz
https://support.ms-live.us/301631/check
http://filedrive.online
https://cloud-server.store/update
https://metamask.awaitingfor.site/update
104.168.214.151
[email protected]
e33f942cf1479ca8530a916868bad954
963f473f1734d8b3fbb8c9a227c06d07
e8680d17fba6425e4a9bb552fb8db2b1
ab1e8693931f8c694247d96cf5a85197
76ace3a6892c25512b17ed42ac2ebd05
8f8942cd14f646f59729f83cbd4c357b
10cd1ef394bc2a2d8d8f2558b73ac7b8
f8bb2528bf35f8c11fbc4369e68c4038
7f94ed2d5f566c12de5ebe4b5e3d8aa3
2B499EB3865A7EF17264D15252B7F73E
6aa93664b4852cb5bad84ba1a187f645
529fe6eff1cf452680976087e2250c02
c446682f33641cff21083ac2ce477dbe
19a7e16332a6860b65e6944f1f3c5001
01d3ed1c228f09d8e56bfbc5f5622a6c
358c2969041c8be74ce478edb2ffcd19
60bfe4f378e9f5a84183ac505a032228
1ee10fa01587cec51f455ceec779a160
5B77F83ECEFA0E32BA922F61C9EFFF7F755BA51A010DB844CA7E8AD3DB28650A
A6C1A7CE43B029A1EF4AE69B26F745440ECCE8368C89F11AC999D4ED04A31572
389447013870120775556bb4519dba97
a26f2b97ca4e2b4b5d58933900f02131
8006efb8dd703073197e5a27682b35bf
B494A0AE421AFE170F6CB9DE2C1193A78FBE16F627F85139676AFC5D9BFE93A2
38c8d80dd32d00e9c9440a498f7dd739
0af11f610da1f691e43173d44643283f
7581854ff6c890684823f3aed03c210f
0ca37675d75af0e7def0025cd564d6c5
f1bad0efbd3bd5a4202fe740756f977a
B3CC15C1033DE79024F9CF3CD6A6A7A9B7E54A1A57D3156036F5C05F541694B7
C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF
a6ce961f487b4cbdfe68d0a249647c48
a0eb7e480752d494709c63aa35ccf36c
5cb4f0084f3c25e640952753ed5b25d0
00dd47af3db45548d2722fe8a4489508
71B743C529F0B27735F7774A0903CB908EDC93423B60FE9BE49A3729982D0E8D
1653d75d579872fadec1f22cf7fee3c0
50f341b24cb75f37d042d1e5f9e3e5aa
d63805e89053716b6ab93ce6decf8450
e9fdd703e60b31eb803b1b59985cabec
76ACE3A6892C25512B17ED42AC2EBD05
eda0525c078f5a216a977bc64e86160a
c6f0c8d41b9ad4f079161548d2435d80
1243968876262c3ad4250e1371447b23
de93e85199240de761a8ba0a56f0088d
b2e9a6412fd7c068a5d7c38d0afd946f
6422795a6df10c45c1006f92d686ee7e
3bbe4dfe3134c8a7928d10c948e20bee
3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A
d8529855fab4b4aa6c2b34449cb3b9fb
7168ce5c6e5545a5b389db09c90038da
7e50c3f301dd045eb189ba1644ded155
f1d2af27b13cd3424556b18dfd3cf83f
2c42253ebf9a743814b9b16a89522bef
6348b49f3499d760797247b94385fda3
17baae144d383e4dc32f1bf69700e587
4451EE8BC53EA7C148D8348BC7B82ACA9977BDD31C0156DFE25C4A879A1D2190
261a409946b6b4d9ce706242a76134e3
73d26eb56e5a3426884733c104c3f625
c42c7a2ea1c2f00dddb0cc4c8bfb5bcf
5ad40a5fd18a1b57b69c44bc2963dc6b
9551b4af789b2db563f9452eaf46b6aa
31b88dd319af8e4b8a96fc9732ebc708
931cec3c80c78d233e3602a042a2e71b
a070b77c5028d7a5d2895f1c9d35016f
b567bfdaac131a2d8a23ad8fd450a31d
http://download.datatabletemplate.xyz
https://filedrive.online/uploadfiles
https://chkactive.online/update
http://support.video-meeting.online
http://web.commoncome.online:8080/client
http://safeupload.online
http://second.awaitingfor.online
http://root.security-update.xyz
http://safefor.xyz
http://firstfromsep.online/client
http://check.datatabletemplate.shop
http://secondshop.online
http://web071zoom.us/fix/audio-tr/7217417464
https://api.flashstore.sbs/test
https://safeup.store/test
http://dataupload.store
http://secondshop.store
https://file-server.store/update
https://urgent-update.cloud/uploadfiles
https://download.datatabletemplate.xyz/account/register/id=8118555902061899&secret=QwLoOZSDakFh
http://104.168.214.151
https://dataupload.store/uploadfiles
http://system.updatecheck.store
http://signsafe.xyz
http://download.face-online.world
http://root.chkstate.online
http://botsc.autoupdate.xyz
http://first.system-update.xyz
https://support.ms-live.us/update/02583235891M49FYUN57
https://api.clearit.sbs/test
https://api.flashstore.sbs/uploadfiles
http://web071zoom.us/fix/audio/4542828056
http://second.systemupdate.cloud
http://signsafe.xyz/update
http://first.longlastfor.online:8080/client
http://signsafe.site
http://image-support.xyz
https://safeupload.online/uploadfiles
https://bots.autoupdate.online:8080/test
http://readysafe.xyz
https://support.ms-live.us/register/22989524464UcX2b5w52
https://writeup.live/test
http://pre.alwayswait.site
https://api.clearit.sbs/uploadfiles
http://web071zoom.us/fix/audio-fv/7217417464
http://swissborg.blog
https://flashserve.store/update
http://second.systemupdate.cloud/client
http://real-update.xyz
https://support.ms-live.us/301631/check
http://filedrive.online
https://cloud-server.store/update
https://metamask.awaitingfor.site/update
104.168.214.151
[email protected]
e33f942cf1479ca8530a916868bad954
963f473f1734d8b3fbb8c9a227c06d07
e8680d17fba6425e4a9bb552fb8db2b1
ab1e8693931f8c694247d96cf5a85197
76ace3a6892c25512b17ed42ac2ebd05
8f8942cd14f646f59729f83cbd4c357b
10cd1ef394bc2a2d8d8f2558b73ac7b8
f8bb2528bf35f8c11fbc4369e68c4038
7f94ed2d5f566c12de5ebe4b5e3d8aa3
2B499EB3865A7EF17264D15252B7F73E
6aa93664b4852cb5bad84ba1a187f645
529fe6eff1cf452680976087e2250c02
c446682f33641cff21083ac2ce477dbe
19a7e16332a6860b65e6944f1f3c5001
01d3ed1c228f09d8e56bfbc5f5622a6c
358c2969041c8be74ce478edb2ffcd19
60bfe4f378e9f5a84183ac505a032228
1ee10fa01587cec51f455ceec779a160
5B77F83ECEFA0E32BA922F61C9EFFF7F755BA51A010DB844CA7E8AD3DB28650A
A6C1A7CE43B029A1EF4AE69B26F745440ECCE8368C89F11AC999D4ED04A31572
389447013870120775556bb4519dba97
a26f2b97ca4e2b4b5d58933900f02131
8006efb8dd703073197e5a27682b35bf
B494A0AE421AFE170F6CB9DE2C1193A78FBE16F627F85139676AFC5D9BFE93A2
38c8d80dd32d00e9c9440a498f7dd739
0af11f610da1f691e43173d44643283f
7581854ff6c890684823f3aed03c210f
0ca37675d75af0e7def0025cd564d6c5
f1bad0efbd3bd5a4202fe740756f977a
B3CC15C1033DE79024F9CF3CD6A6A7A9B7E54A1A57D3156036F5C05F541694B7
C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF
a6ce961f487b4cbdfe68d0a249647c48
a0eb7e480752d494709c63aa35ccf36c
5cb4f0084f3c25e640952753ed5b25d0
00dd47af3db45548d2722fe8a4489508
71B743C529F0B27735F7774A0903CB908EDC93423B60FE9BE49A3729982D0E8D
1653d75d579872fadec1f22cf7fee3c0
50f341b24cb75f37d042d1e5f9e3e5aa
d63805e89053716b6ab93ce6decf8450
e9fdd703e60b31eb803b1b59985cabec
76ACE3A6892C25512B17ED42AC2EBD05
eda0525c078f5a216a977bc64e86160a
c6f0c8d41b9ad4f079161548d2435d80
1243968876262c3ad4250e1371447b23
de93e85199240de761a8ba0a56f0088d
b2e9a6412fd7c068a5d7c38d0afd946f
6422795a6df10c45c1006f92d686ee7e
3bbe4dfe3134c8a7928d10c948e20bee
3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A
d8529855fab4b4aa6c2b34449cb3b9fb
7168ce5c6e5545a5b389db09c90038da
7e50c3f301dd045eb189ba1644ded155
f1d2af27b13cd3424556b18dfd3cf83f
2c42253ebf9a743814b9b16a89522bef
6348b49f3499d760797247b94385fda3
17baae144d383e4dc32f1bf69700e587
4451EE8BC53EA7C148D8348BC7B82ACA9977BDD31C0156DFE25C4A879A1D2190
261a409946b6b4d9ce706242a76134e3
73d26eb56e5a3426884733c104c3f625
c42c7a2ea1c2f00dddb0cc4c8bfb5bcf
5ad40a5fd18a1b57b69c44bc2963dc6b
9551b4af789b2db563f9452eaf46b6aa
31b88dd319af8e4b8a96fc9732ebc708
931cec3c80c78d233e3602a042a2e71b
a070b77c5028d7a5d2895f1c9d35016f
b567bfdaac131a2d8a23ad8fd450a31d