Researchers Expose GhostCall and GhostHire BlueNoroff's New Malware Chains

GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites. The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourage the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.

Regardless of the lure used, the AppleScript is designed to install a phony application disguised as Zoom or Microsoft Teams. It also downloads another AppleScript dubbed DownTroy that checks stored passwords associated with password management applications and installs additional malware with root privileges.

DownTroy, for its part, is engineered to drop several payloads as part of eight distinct attack chains, while also bypassing Apple’s Transparency, Consent, and Control (TCC) framework. SilentSiphon is equipped to harvest data from Apple Notes, Telegram, web browser extensions, as well as credentials from browsers and password managers, and secrets stored in configuration files related to a long list of services: GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust cargo, NET Nuget, AWS, Google Cloud, Microsoft Azure, Oracle Cloud, Akamai Linode, DigitalOcean API, Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio, CircleCI, Pulumi, HashiCorp, SSH, FTP, Sui Blockchain, Solana, NEAR Blockchain, Aptos Blockchain, Algorand, Docker, Kubernetes, and OpenAI.

Our research indicates a sustained effort by the actor to develop malware targeting both Windows and macOS systems, orchestrated through a unified command-and-control infrastructure. The use of generative AI has significantly accelerated this process, enabling more efficient malware development with reduced operational overhead. The actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. Upon gaining access, they conduct comprehensive data acquisition across a range of assets, including infrastructure, collaboration tools, note-taking applications, development environments, and communication platforms (messengers).

To read the complete article, see: The Hacker News