The Zoom attack you didn’t see coming

Did you know that when participating in a Zoom call, you can grant permission to other participants to control your computer remotely?

While this feature may come in handy when dealing with trusted family, friends and colleagues, threat actors have started abusing it to install malware on targets’ computer.

The Zoom remote control attack

This specific tactic has been leveraged by an individual or group that The Security Alliance (SEAL) – a nonprofit dedicated to enhancing security within the cryptocurrency and decentralized finance sectors – has dubbed ELUSIVE COMET.

“ELUSIVE COMET is known to operate Aureon Capital, which purports to be a legitimate venture capital firm, as well as related entities Aureon Press and The OnChain Podcast. ELUSIVE COMET maintains a strong online presence with extensive history in order to establish and maintain legitimacy. This is accomplished by setting up polished websites and active social media profiles, as well as creating profiles which impersonate real people with notable credentials,” the organization recently explained.

The threat actor usually contacts potential victims via Twitter DMs or email and invites them to be a guest on their podcast. If they accept and join a Zoom call started by the attacker, they are at some point prompted to share their screen to present their work.

“At this point, ELUSIVE COMET will use Zoom to request control over the potential victim’s computer. If the potential victim is not paying close attention, they may accidentally grant remote access, which allows ELUSIVE COMET to install their malware to the victim’s device.”

How victims get tricked

Jake Gallen, CEO of the NFT platform Emblem Vault, was one of ELUSIVE COMET’s victims (or, possibly, the victim of another threat actor using the same tactic). He lost around $100,000 and control of some of his accounts after getting his computer compromised and, he says, he’s not the only one.

The CEO of cybersecurity research and consulting firm Trail of Bits has also been targeted, though unsuccessfully.

“Two separate Twitter accounts approached our CEO with invitations to participate in a ‘Bloomberg Crypto’ series—a scenario that immediately raised red flags,” shared the IT team at Trail of Bits.

“The attackers refused to communicate via email and directed scheduling through Calendly pages that clearly weren’t official Bloomberg properties. These operational anomalies, rather than technical indicators, revealed the attack for what it was.”

The team explains how the targets are tricked into giving the threat actor remote control of their screen: Before requesting the permission, the attacker changes their display name to “Zoom” to make the request appear as a system notification.

This would explain why Gallen says that he does “not remember clicking a button to give remote access nor saw any displays during the call that remote access was given.”

Users used to approving Zoom prompts are likely to act automatically, he says. “The permission dialog doesn’t clearly communicate the security implications,” he added, and noted that victims are likely to be “focused on a professional conversation, not security analysis.”

Mitigating the risk

By default, Zoom allows users to give permission for remote control over their computer. The possibility has to be explicitly disallowed by the user or IT/security teams for their Zoom tenant.

The Trail of Bits IT team also thinks that “for high-security environments or organizations handling cryptocurrency, the most direct approach is to completely remove Zoom from systems.”

While you might not be ready to drop Zoom, disallowing the remote control option in the Zoom settings is generally a good idea. While this particular technique seems to be currently leveraged by one or a few threat actors to target high-profile targets, it will likely not be long until other attackers start trying it out.

“The ELUSIVE COMET campaign represents the continuing evolution of threats targeting operational security rather than technical vulnerabilities. As we’ve entered the era of operational security failures, organizations must evolve their defensive posture to address these human-centric attack vectors,” the team concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!