Fake Zoom meeting invitations used as lure
The recent attack campaigns against crypto and Web3 companies started in April and were previously documented by Huntabil.IT and Huntress, who attributed the attacks to a North Korean subgroup that dates back to at least 2017 and is tracked in the security industry under different names: TA444, BlueNoroff, Sapphire Sleet, Copernicium, Stardust Chollima, or CageyChameleon.
The victims received messages on Telegram from impersonated contacts they knew and trusted, who invited them to schedule a meeting via Calendly, an appointment scheduling service. Subsequently they received a fake email with an invitation to a Zoom meeting, as well as instructions to run a “Zoom SDK update script.”
This script, called zoom_sdk_support.scpt, is written in AppleScript, a language developed by Apple for controlling macOS applications. This first-stage script is padded with 10,000 lines of white space to make it hard to read the malicious code, but its purpose is to download a second-stage script from another attacker-controlled domain that contains the word zoom. This second-stage script downloads an HTML script that redirects the user to a real Zoom meeting link as a distraction from the attack chain executing in the background.
