- Cybercriminals are inviting victims to talk to “journalists”
- On the Zoom call, they’re asked to grant permissions for remote access
- Those that grant the permissions lose their crypto
Hackers are abusing Zoom’s remote desktop feature to steal people’s cryptocurrency, experts have warned.
Cybersecurity researchers Trail of Bits claim to have seen the attack in the wild, focusing on “high-value targets,” people who the media would often contact for comments and discussion on everyday events. The attackers would reach out via social media (X, for example), and send them a Zoom invite via Calendly, pretending to be Bloomberg journalists.
On Zoom, the attackers would join with an account named “Zoom”, and request remote control over the victim’s account. The victims would see a popup saying “Zoom is requesting remote control of your screen” which, for those used to granting permissions without thinking twice, might seem like a legitimate request from a legitimate app.
Elusive Comet
“What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications,” Trail of Bits said.
“Users habituated to clicking “Approve” on Zoom prompts may grant complete control of their computer without realizing the implications.”
Once the access is granted, the attackers would move fast, deploy a stealthy backdoor or other means of retaining access, and then disconnect from the call.
The last step is to use the malware to access the victim’s cryptocurrency wallets and siphon out any funds found inside.
The researchers named the group “Elusive Comet” and said the methodology is most likely copied from Lazarus, the infamous North Korean state-sponsored entity that targets crypto businesses.
“The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities,” Trail of Bits said in its report.
To mitigate the risk, it would be best not to grant people or apps remote access, unless you’re 100% certain the person is benign.
Via BleepingComputer
