A new wave of sophisticated cyberattacks has emerged, targeting organizations through a blend of social engineering and software feature abuse.
The threat actor known as ELUSIVE COMET has been linked to millions in cryptocurrency theft, exploiting Zoom’s remote control feature to gain unauthorized access to victims’ computers during seemingly legitimate business calls.
Attack Methodology: Social Engineering Meets Software Features
ELUSIVE COMET’s attacks begin with carefully crafted social engineering. For example, the CEO of Trail of Bits was approached by Twitter accounts posing as Bloomberg Crypto producers.
The attackers avoided official communication channels, using Calendly pages that were not affiliated with Bloomberg, and insisted on scheduling via unofficial links.
The technical core of the attack leverages Zoom’s remote control feature. During a business call, the attacker requests remote control access while screen sharing.
Critically, they change their display name to “Zoom,” making the request appear as a benign system notification.
If the victim, distracted by the meeting, clicks “Approve,” the attacker gains full control of the computer, enabling them to install malware, exfiltrate sensitive data, or steal cryptocurrency.
Why the Attack Succeeds
- Legitimate Context: The attack occurs during normal business workflows.
- Interface Ambiguity: The Zoom permission dialog does not communicate the risk.
- User Habituation: Users are accustomed to approving Zoom prompts.
- Divided Attention: Victims are focused on the meeting, not security.
This approach exploits operational security weaknesses rather than traditional software vulnerabilities.
Technical Defenses: Layered Security Approach
Trail of Bits responded with a multilayered defense strategy, combining technical controls and operational policies.
Endpoint Protection
- Deployed CrowdStrike Falcon Complete with aggressive machine learning (ML) prevention settings for real-time behavioral detection.
- Enforced mandatory upgrades to the latest macOS versions to minimize attack surfaces.
Authentication Hardening
- Required hardware security keys (YubiKey) for all Google Workspace accounts, eliminating weaker authentication methods like TOTP or SMS.
- Used Google SSO for unified phishing resistance.
Password Management
- Company-wide deployment of Password with browser extensions that prevent autofill on suspicious domains, forcing users to consciously enter credentials on unfamiliar sites.
Communication Platform Choices
- Preferred Google Meet over Zoom due to its browser-based security model, which restricts system resource access compared to native applications.
Restrictive Application Controls
- Zoom is wrapped with additional security controls and regularly removed from systems when not needed.
- The remote control feature is specifically disabled by blocking accessibility permissions at the macOS system level.
Mitigation Tools and Scripts
| Script Name | Purpose | Execution Frequency | Target Scope |
|---|---|---|---|
create_zoom_pppc_profile.bash | Creates system-wide PPPC profiles to block accessibility | Once per computer | All computers |
disable_zoom_accessibility.bash | Uninstalls Zoom completely from the systems | Every 15 minutes | Computers with Zoom installed |
uninstall_zoom.bash | Uninstalls Zoom completely from systems | Weekly | Computers with Zoom installed |
Technical Terms Explained:
- PPPC (Privacy Preferences Policy Control) Profile: A macOS configuration profile that manages app permissions, such as accessibility access, at the system level.
- TCC (Transparency, Consent, and Control) Database: The macOS subsystem that tracks and enforces user consent for app permissions.
- Accessibility Permissions: Special OS-level privileges required for remote control features; blocking these disables Zoom’s remote control capability.
Sample Bash Command to Remove Zoom Accessibility:
bashsudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client='us.zoom.xos';"
This command removes existing accessibility permissions for Zoom from the TCC database.
Additional Recommendations
- Train staff to recognize social engineering attempts, especially unusual permission requests during video calls.
- Monitor for indicators of compromise (IoCs), such as suspicious Zoom URLs or unauthorized Calendly links.
- Enforce communication policies that require verification of external contacts through official channels.
- Implement DMARC, SPF, and DKIM for email boundary protection.
The ELUSIVE COMET campaign highlights the growing threat of operational security failures, where human factors and legitimate software features are manipulated to bypass technical defenses.
Combining technical controls—such as PPPC profiles and TCC monitoring—with robust operational policies, organizations can effectively mitigate these evolving attack vectors without sacrificing business productivity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=ELUSIVE COMET has been linked to millions in cryptocurrency theft, exploiting Zoom’s remote control feature to gain unauthorized access){kind=link}