North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft
Contents
North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft
This article analyzes a real-world intrusion observed by Daylight Security involving real-time, interactive social engineering against macOS users. The activity was attributed to BlueNoroff, a subgroup of the North Korean state actor Lazarus Group, but the techniques described are broadly applicable beyond this actor.
Executive Summary
Daylight Security investigated a targeted social-engineering intrusion aligned with BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group. The activity was initially surfaced through endpoint behavioral alerts and ultimately revealed a hands-on-keyboard compromise that began as a “business prospect” conversation.
BlueNoroff is widely tracked for revenue-generating operations targeting crypto/Web3 and financial organizations. In this incident, the adversary initiated contact over Telegram, posed as a potential customer or partner, and escalated the interaction to a Microsoft Teams call. During the call, the attacker claimed audio issues and coached the victim into running terminal commands that …
This article analyzes a real-world intrusion observed by Daylight Security involving real-time, interactive social engineering against macOS users. The activity was attributed to BlueNoroff, a subgroup of the North Korean state actor Lazarus Group, but the techniques described are broadly applicable beyond this actor.
Executive Summary
Daylight Security investigated a targeted social-engineering intrusion aligned with BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group. The activity was initially surfaced through endpoint behavioral alerts and ultimately revealed a hands-on-keyboard compromise that began as a “business prospect” conversation.
BlueNoroff is widely tracked for revenue-generating operations targeting crypto/Web3 and financial organizations. In this incident, the adversary initiated contact over Telegram, posed as a potential customer or partner, and escalated the interaction to a Microsoft Teams call. During the call, the attacker claimed audio issues and coached the victim into running terminal commands that …
IoC
http://23.254.130.131
http://23.254.204.184
http://microsmeet.xyz
http://bluyy.com
https://microsmeet.xyz/
http://supportzm.com
http://teams.microscall.com
23.254.130.131
23.254.204.184
75a82b9a2e7cfa0002fbbd1dbcb0bfaf5f6333169fd53507f7119593b9c4482e
b302be4f9c515eb68d3e8b1ad8388d45b788eca34e7d53726d05c310a8f66af7
e3ed631addd7242e8c1f6faa90087742ff5b442e734132d2fe2594d65659eafd
de664ae9a35ec7f156962df168d876c01c0262fb91486fc25c27859aa9bfe206
ede7f3ece611ba6c1ac4a02cf6a618b4ebd7eec6d9426b2baab3b5e26246e275
18ec3c93e076e16447aee6fa390a44d3cb03e7f46e8466535ee76ed2041a88e5
http://23.254.204.184
http://microsmeet.xyz
http://bluyy.com
https://microsmeet.xyz/
http://supportzm.com
http://teams.microscall.com
23.254.130.131
23.254.204.184
75a82b9a2e7cfa0002fbbd1dbcb0bfaf5f6333169fd53507f7119593b9c4482e
b302be4f9c515eb68d3e8b1ad8388d45b788eca34e7d53726d05c310a8f66af7
e3ed631addd7242e8c1f6faa90087742ff5b442e734132d2fe2594d65659eafd
de664ae9a35ec7f156962df168d876c01c0262fb91486fc25c27859aa9bfe206
ede7f3ece611ba6c1ac4a02cf6a618b4ebd7eec6d9426b2baab3b5e26246e275
18ec3c93e076e16447aee6fa390a44d3cb03e7f46e8466535ee76ed2041a88e5