"According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima."
"The victim would join a fake call with genuine recordings of this threat's other actual victims rather than deepfakes. The call proceeds smoothly to then encourages the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host."
"GhostHire involves approaching prospective targets, such as Web3 developers, on Telegram and luring them into downloading and executing a booby-trapped GitHub repository under the pretext of completing a skill assessment within 30 minutes of sharing the link, so as to ensure a higher success rate of infection. Once installed, the project is designed to download a malicious payload onto the developer's system based on the operating system used."
The campaigns operate under an overarching SnatchCrypto operation active since at least 2017 and are attributed to the Lazarus Group sub-cluster BlueNoroff and multiple aliases. GhostCall targets macOS devices of executives and venture capital personnel by contacting targets on Telegram, inviting them to Zoom-like phishing meetings, playing genuine recordings of other victims, and persuading users to run update scripts that unpack ZIP files and deploy infection chains. GhostHire targets Web3 developers by pushing booby-trapped GitHub repositories presented as timed skill assessments; those repositories download OS-specific malicious payloads. Victims span Asia, Europe, and Australia, with Japan and Australia singled out as major hunting grounds for GhostHire.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]