A routine business call turned into a macOS compromise after North Korean state-sponsored hackers lured a cryptocurrency-sector professional from messaging apps into a Microsoft Teams meeting and tricked them into running terminal commands under the pretense of fixing audio. Daylight Security links the campaign to BlueNoroffโs GhostCall operation, which installs a masqueraded payload at /Library/Caches/com.apple.sys.receipt, uses ad-hoc signing and living-off-the-land techniques, and copies the userโs Keychain for credential theft. #BlueNoroff #GhostCall
Keypoints
- Attackers initiate contact on platforms like Telegram and move victims to Microsoft Teams video calls.
- They feign audio problems to coerce victims into pasting malicious terminal commands.
- The payload is downloaded to /Library/Caches/com.apple.sys.receipt, made executable, and ad-hoc signed to evade detection.
- Operators rely on built-in macOS tools and a hidden iCloud-synced component for evasion and persistence.
- The primary objective is credential theft, specifically copying the userโs Keychain database.