Calendar Meeting Links Used to Spread Mac Malware – Security Krebs

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar. Calendar, a popular application for scheduling appointments and meetings. The attackers pretended to be established cryptocurrency investors and asked to schedule a video conference call. But clicking on the meeting link provided by the scammers prompts the user to run a script that silently installs the malware macOS systems.

KrebsOnSecurity recently heard from a reader who works at a startup that is looking for investment to build a new blockchain platform for the Web. The reader spoke on the condition that their name not be used in this story, so for simplicity’s sake we’ll call him Doug.

Being in the cryptocurrency scene, Doug is also active in the instant messenger platform wire. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they Ian Leefrom Capital of Signum, a well-established investment company based in Singapore. The profile is also linked to The Twitter/X account of Mr. Leewhich shows the same profile picture.

The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it.

When the day and time of the scheduled meeting with Mr. Lee, Doug clicked on the meeting link on his calendar but nothing happened. Doug immediately sent the account of Mr. Lee on Telegram, saying that there was some kind of technical issue with the video platform, and that their IT people suggested using a different meeting link.

Doug clicks on the new link, but instead of opening a videoconference app, a message appears on his Mac saying that the video service is experiencing technical difficulties.

“Some of our users are facing issues with our service,” the message read. “We are actively working to fix these problems. Please see this script as a temporary solution.”

Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. apologized. Lee was upset and said they should reschedule their meeting, but he never responded to any of Doug’s follow-up messages.

It didn’t dawn on Doug until several days later that the missed meeting with Mr. Lee might be a malware attack. Returning to his Telegram client to revisit the conversation, Doug discovered that his potential investor had deleted the meeting link and other bits of the conversation from their shared chat history.

on a post on his Twitter/X account last month, Capital of Signum Warned that a fake profile pretending to be their employee Mr. Lee is trying to scam people on Telegram.

The file Doug runs is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan designed to run on macOS systems. Unfortunately for us, Doug freaks out after deciding he’s been tricked – backed up his important documents, changed his passwords, and then installed macOS on his computer. While this is a perfectly good answer, it means we don’t have the actual malware being pushed onto his Mac via the script.

But Doug still has a copy of the malicious script downloaded from clicking the meeting link (the online host serving that link is now offline). A Google search for a string of text from that script turns up a December 2023 blog post from a cryptocurrency security company SlowMist about phishing attacks on Telegram from state-sponsored hackers in North Korea.

“When the project team clicks on the link, they encounter a regional access restriction,” SlowMist WRITES. “At this point, North Korean hackers encourage the team to download and run a ‘location change’ malicious script. Once the team completes the project, their computer will be controlled by hackers, which leads to the theft of funds.”

Image: SlowMist.

SlowMist says the North Korean phishing scam used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and launch phishing attacks.

“Because Calendly integrates well with the daily work routines of most project teams, these malicious links don’t easily raise suspicion,” the blog post explained. “Therefore, project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded from the malicious link in their case came from a North Korean hacking group called “BlueNoroffthat Kaspersky Labs states that a subgroup of Lazarus hacking group.

“A financially motivated threat actor closely connected to Lazarus targeting banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky WRITES at BlueNoroff on Dec. 2023.

The North Korean regime is known to use stolen cryptocurrencies to fund the military and other state projects. A new one report from Recorded Future found in the Lazarus Group stole approximately $3 billion in cryptocurrency over the past six years.

While there is more malware being targeted today Microsoft Windows PCs, the prevalence of information-stealing trojans targeting macOS users is growing at a steady clip. MacOS computers included X-Protection, Apple’s built-in antivirus technology. But experts say attackers often change the look and behavior of their malware to evade X-Protect.

“Recent updates to the XProtect signature database on macOS show that Apple is aware of the problem, but early 2024 has already seen many thief families evading known ones signature,” security company. SentinelOne written in January.

According to the threat hunting platform hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or recently hosted about 75 different domain names, most of which request the words relating to videoconferencing or cryptocurrency. Domains show that this North Korean hacking group is hiding behind several fake crypto companies, such as the six-month-old website for Cryptowave Capital (cryptowave(.)capital).

The increasing frequency of new Mac malware is a good reminder that Mac users should not rely on security software and tools to flag malicious files, which are often bundled or disguised as legitimate software.

As KrebsOnSecurity has been advising Windows users for years, a good safety rule to follow is this: If you’re not looking for it, don’t install it. Following this mantra leads to many malware attacks, regardless of the platform used. If you decide to install a piece of software, make sure you download it from the original source, and then keep it up to date with any new security fixes.

Lastly, I found it a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Although the call uses software already on my computer, it’s often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes. -or to the privacy of the software maker. policies or user agreements HISTORY choose to install updates.

Above all, verify new contacts from strangers before accepting anything from them. In this case, if Doug just messaged the real account of Mr. Lee on Twitter/X or directly contacted Signum Capital, he discovered that the real Mr. Lee never asked for a meeting.

If you’ve been approached with a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.

Image: SlowMist.

Leave a comment