Hackers Abuse Zoom Remote Control Feature for Crypto-Theft Attacks
A recent social engineering campaign by a hacking group dubbed "Elusive Comet" has been targeting cryptocurrency users, exploiting Zoom's remote control feature to trick victims into granting them access to their machines. The attack mirrors techniques used by the notorious Lazarus hacking group in the massive $1.5 billion Bybit crypto heist.
According to cybersecurity firm Trail of Bits, which encountered this social engineering campaign, the perpetrators have been using a similar approach to the one employed by the Lazarus group in the Bybit hack. "The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.
The attack starts with an invitation to a "Bloomberg Crypto" interview via Zoom, sent to high-value targets via sock-puppet accounts on X or email. The fake accounts impersonate crypto-focused journalists or Bloomberg outlets and reach out to the targets via direct messages on social media platforms. The invitations are sent through Calendly links to schedule a Zoom meeting.
Since both Calendly and Zoom invites/links are authentic, they work as expected and lower the target's suspicions. During the Zoom call, the attacker initiates a screen-sharing session and sends a remote control request to the target. The trick employed in this stage is that the attackers rename their Zoom display name to "Zoom," so the prompt the victim sees reads "Zoom is requesting remote control of your screen," making it appear as a legitimate request from the app.
However, approving the request gives the attackers full remote input control over the victim's system, allowing them to steal sensitive data, install malware, access files, or initiate crypto transactions. The attacker may act quickly to establish persistent access by implanting a stealthy backdoor for later exploitation and disconnect, leaving victims with little chance to realize the compromise.
"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits. "Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."
Defending Against This Threat
To defend against this threat, Trail of Bits suggests implementing system-wide Privacy Preferences Policy Control (PPPC) profiles that prevent accessibility access. This can be done by using a collection of tools.
The firm recommends removing Zoom entirely from all systems for security-critical environments and organizations that handle valuable digital assets. "For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Precautions to Take
To avoid falling victim to this attack, users should be cautious when receiving Zoom invitations via Calendly links or email. They should also verify the authenticity of the invitation by checking the sender's email address and looking for any suspicious spelling mistakes or grammatical errors.
It is also essential to keep software up-to-date and use strong passwords to prevent unauthorized access to systems and accounts. Additionally, users should be aware of their surroundings and not click on links or download attachments from unknown senders.
The Elusive Comet hacking group has been using a sophisticated social engineering attack to trick cryptocurrency users into granting them access to their machines via Zoom's remote control feature. To defend against this threat, organizations should implement system-wide Privacy Preferences Policy Control (PPPC) profiles and remove Zoom entirely from all systems for security-critical environments.