North Korean Hackers Deploy macOS Malware to Target Crypto Firms
North Korean Malware Campaign Targeting Crypto Firms
North Korean hackers are executing a sophisticated campaign leveraging malware designed to infiltrate Web3 and cryptocurrency organizations. This campaign utilizes a variety of techniques, including social engineering, deceptive AppleScripts, and binaries compiled in the niche programming language Nim. The operation is referred to as "NimDoor" by researchers at Sentinel Labs.
Image courtesy of CSO Online
Attack Vector and Initial Compromise
The initial phase of the attack often begins with social engineering tactics. Victims receive messages on Telegram from contacts they believe to be trustworthy, requesting to schedule meetings via Calendly. Following this, they receive phishing emails containing fake Zoom meeting invitations and instructions to run a bogus "Zoom SDK update" script. The script, named zoom_sdk_support.scpt, is padded with 10,000 lines of white space to obfuscate its malicious intent while it executes a secondary payload from a remote server.
Researchers at Huntress have documented these attacks, noting that the malware is capable of maintaining persistence on compromised systems through clever techniques involving macOS LaunchAgents. This allows the malware to reinstate itself even after termination or a system reboot.
Multi-Stage Infection Process
Once the initial script is executed, it downloads two Mach-O binaries. The first, written in C++, writes an encrypted payload to disk, while the second, compiled from Nim source code, is responsible for maintaining access. This malware employs process injection techniques, a rarity in macOS malware, and communicates over TLS-encrypted WebSockets (wss) to exfiltrate sensitive information.
Image courtesy of 9to5Mac
Data Exfiltration Techniques
The malware utilizes Bash scripts to scrape and exfiltrate sensitive user data, including Keychain credentials and browser information from popular browsers like Chrome, Firefox, and Brave. The malware's persistence is cleverly disguised using names that resemble legitimate system files, making detection difficult.
In addition to data scraping, the malware employs a unique persistence mechanism that leverages signal handlers for SIGINT and SIGTERM, ensuring it remains active even when attempts are made to terminate its processes. This technique represents an evolution in North Korean cyber operations, illustrating their shift towards utilizing less common programming languages, such as Nim, for malicious purposes.
Conclusion
The NimDoor malware campaign exemplifies the evolving threat landscape posed by North Korean APT groups. Users are advised to remain vigilant and avoid executing scripts or software updates from unexpected sources. Keeping macOS systems updated with the latest security patches and utilizing reputable endpoint security tools can help mitigate the risks posed by these sophisticated attacks.
For more detailed technical insights, refer to the full reports from Sentinel Labs and Huntress.