North Korea's BlueNoroff Uses AI Deepfakes for Mac Malware Scam
North Korea’s BlueNoroff Uses AI Deepfakes for Mac Malware
In a sophisticated new campaign, North Korea's BlueNoroff is employing AI-generated video calls to trick executives into installing malware on their Mac systems. This targeted attack specifically aims at cryptocurrency firms, delivering a custom-built malware suite.
Image courtesy of CSO Online
Attack Methodology
BlueNoroff is utilizing deep fakes of company leadership to persuade employees to download fake Zoom extensions, which then install a suite of macOS malware. According to Huntress, the intrusion was reported by a cryptocurrency foundation after an employee installed a suspicious Zoom extension. Initial access to the victim’s system was achieved through a Telegram message that contained a seemingly harmless meeting request.
The victim received a Google Meet invite that redirected them to a fake Zoom site controlled by the attackers. During the meeting, AI-generated deep fakes of their bosses instructed the employee to install a ‘Zoom extension’ to resolve a microphone issue.
Randolph Barr, CISO at Cequence, noted, “This attack is a powerful example of how threat actors are evolving.” The use of AI-generated deepfakes combined with personalized social engineering represents a significant shift in cyberattack sophistication.
Malware Characteristics
The malware delivered includes a variety of macOS threats, such as info-stealers, keyloggers, and backdoors. Key features of the malware include:
- Advanced Tradecraft: Techniques like clipboard monitoring and sleep-aware command execution were observed.
- Distinct Binaries: Huntress identified eight malicious binaries, including:
- Telegram 2: A Nim-based binary acting as the primary backdoor.
- Root Troy V4: A fully-featured Go backdoor for executing payloads.
- InjectWithDyId: A C++ loader capable of process injection, utilizing AES-CFB for payload decryption.
- XScreen: A keylogger for monitoring keystrokes and clipboard data.
- CryptoBot: A stealer targeting cryptocurrency data.
Each implant was cleverly disguised to avoid detection and was signed to appear legitimate.
Defense Recommendations
To mitigate the risk posed by such sophisticated threats, Barr recommends employing robust technical solutions. Utilizing Mobile Device Management (MDM) platforms can enforce strict access controls, while Endpoint Detection and Response (EDR) solutions provide real-time visibility into endpoint activities.
“Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional — they’re essential,” Barr emphasized.
Ongoing Threat Landscape
BlueNoroff is a subgroup of the Lazarus Group, known for targeting cryptocurrencies since at least 2017. The group's history includes orchestrating financial crimes and leveraging social engineering tactics to gain access to sensitive information.
In particular, the campaign mirrors previous tactics used in the "Contagious Interviews" scheme, where attackers posed as recruiters to deliver malware-laden files as part of fake job assessments. This evolution in attack methods continues to pose significant risks to organizations, especially those in high-stakes financial sectors.
For further insights, refer to the assessments by DTEX on North Korea's cyber structure and the evolution of their threat groups.