Zoom remote control feature abused for crypto stealing cyberattacks

News
By published

Hackers are impersonating both Bloomberg and Zoom

Zoom
Zoom's usage lives up to its name (Image credit: Shutterestock)
  • Cybercriminals are inviting victims to talk to "journalists"
  • On the Zoom call, they're asked to grant permissions for remote access
  • Those that grant the permissions lose their crypto

Hackers are abusing Zoom’s remote desktop feature to steal people’s cryptocurrency, experts have warned.

Cybersecurity researchers Trail of Bits claim to have seen the attack in the wild, focusing on “high-value targets,” people who the media would often contact for comments and discussion on everyday events. The attackers would reach out via social media (X, for example), and send them a Zoom invite via Calendly, pretending to be Bloomberg journalists.

On Zoom, the attackers would join with an account named “Zoom”, and request remote control over the victim’s account. The victims would see a popup saying “Zoom is requesting remote control of your screen” which, for those used to granting permissions without thinking twice, might seem like a legitimate request from a legitimate app.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Elusive Comet

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," Trail of Bits said.

"Users habituated to clicking "Approve" on Zoom prompts may grant complete control of their computer without realizing the implications."

Once the access is granted, the attackers would move fast, deploy a stealthy backdoor or other means of retaining access, and then disconnect from the call.

The last step is to use the malware to access the victim’s cryptocurrency wallets and siphon out any funds found inside.

The researchers named the group “Elusive Comet” and said the methodology is most likely copied from Lazarus, the infamous North Korean state-sponsored entity that targets crypto businesses.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," Trail of Bits said in its report.

To mitigate the risk, it would be best not to grant people or apps remote access, unless you’re 100% certain the person is benign.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.