HQ/EMEAFind out how we can help your business
A hacking group named ‘Elusive Comet’ targets cryptocurrency users through social engineering tactics that utilise Zoom’s remote-control functionality to trick users into granting access to their computers.
The messaging platform’s remote-control feature allows meeting participants to control another participant’s device.
Researchers who identified this social engineering campaign stated that the attackers employ techniques reminiscent of those the Lazarus hacking group used in the significant $1.5 billion Bybit crypto heist.
The Elusive Comet group tried this tactic on a CEO.
The Elusive Comet attackers attempted to execute a social engineering attack on Trail of Bits’ CEO via direct messages on X.
The attack allegedly starts with an invitation to a “Bloomberg Crypto” interview via Zoom, delivered to high-value targets through fake accounts on X or via email.
The fraudulent accounts pose as cryptocurrency journalists or Bloomberg representatives, reaching out to targets through direct messages on social media. Moreover, the invitations include authentic Calendly links to book a Zoom meeting.
Since both Calendly and Zoom links are legitimate, they serve their purpose and minimise the target’s suspicion.
During the Zoom meeting, the threat actors begin a screen-sharing session and request remote control from the target.
At this point, the attackers change their Zoom display name to “Zoom,” which alters the prompt the victim sees to read “Zoom is requesting remote control of your screen,” making the request appear from the application itself.
However, granting this request gives the attackers complete remote input control over the victim’s system, allowing them to steal sensitive information, install malware, access files, or initiate crypto transactions.
The attacker might act quickly to embed a covert backdoor for future exploitation and then disconnect, leaving victims unaware of the breach. Researchers warn that this attack is concerning since the permission dialogue resembles other harmless Zoom notifications.
Users, accustomed to clicking “Approve” on Zoom prompts, may unknowingly give total control of their computer without knowing the risks.
To protect against this threat, organisations should employ system-wide Privacy Preferences Policy Control (PPPC) profiles to restrict accessibility, which can be achieved through a set of tools.
It is also advisable to completely remove Zoom from all systems in security-sensitive environments and organisations managing valuable digital assets.
