A malicious actor with ties to the Democratic People’s Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with multi-stage malware capable of infect Apple macOS devices.
Cybersecurity company SentinelOne, which named the campaign Hidden riskattributed it with high confidence to BlueNoroff, which has previously been linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.
The activity “uses emails spreading fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file,” according to researchers Raffaele Sabato, Phil Stokes and Tom Hegel. said in a report shared with The Hacker News.
“The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories on crypto-related topics.”
As revealed According to the US Federal Bureau of Investigation (FBI) in a September 2024 advisory, these campaigns are part of “highly personalized and difficult to detect” social engineering attacks targeting employees working in decentralized finance sectors. (DeFi) and cryptocurrencies.
Attacks take the form of fake job opportunities or business investments, preying on their targets for extended periods of time to build trust before releasing malware.
SentinelOne said it observed an email phishing attempt in a crypto-related industry in late October 2024 that delivered a dropper app imitating a PDF file (“Hidden Risk Behind New Bitcoin.app Price Surge”) hosted on delphidigital(.)org.
The application, written in the Swift programming language, was signed and notarized on October 19, 2024, with the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948). » The signature has since been revoked by the iPhone maker.
Upon launch, the application downloads and displays a decoy PDF file retrieved from Google Drive to the victim, while secretly fetching a second-stage executable from a remote server and running it. A Mach-O x86-64 executable, the unsigned C++-based binary acts as a backdoor to execute commands remotely.
The backdoor also incorporates a new persistence mechanism that leverages the zshenv configuration file, marking the first time the technique has been abused by malware authors.
“This is of particular value on modern versions of macOS since Apple introduced user notifications for background login items starting with macOS 13 Ventura,” the researchers said.
“Apple’s notification is intended to warn users when a persistence method is installed, particularly the often abused LaunchAgents and LaunchDaemons. Abuse of zshenv, however, does not trigger such a notification in current versions of macOS. “
The threat actor was also observed using domain registrar Namecheap to establish infrastructure centered around cryptocurrency, Web3, and investment themes to give it a veneer of legitimacy. Quickpacket, Routerhosting and Hostwinds are some of the most commonly used hosting providers.
It’s worth noting that the attack chain shares some level of overlap with a previous campaign that Kandji highlighted in August 2024, which also used a macOS dropper app of the same name. Emerging Bitcoin (2024).app” to deploy TodoSwift. .
It is not clear what prompted the threat actors to change tactics, or whether it was in response to public information. “North Korean actors are known for their creativity, adaptability and knowledge of reporting on their activities, so it is entirely possible that we are simply seeing different effective methods emerge from their offensive cyber program,” Stokes told The Hacker News.
Another concerning aspect of the campaign is BlueNoroff’s ability to acquire or hijack valid Apple developer accounts and use them to have their malware notarized by Apple.
“Over the past 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ‘grooming’ of targets via social media,” the researchers said .
“The Hidden Risk campaign departs from this strategy by adopting a more traditional and cruder email phishing approach, but not necessarily less effective. Despite the brutality of the initial infection method, other features of previous campaigns supported by the DPRK are obvious.”
The development also comes amid other campaigns orchestrated by North Korean hackers to seek employment at various Western companies and distribute malware using booby-trapped code bases and conferencing tools to job-seeking candidates under the guise of a hiring challenge or a mission.
The two sets of intrusions, dubbed Wagemole (aka UNC5267) and Contagious Interview, were attributed to a threat group tracked under the name Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).
ESET, which gave the nickname Contagious Interview Misleading Developmentclassified it as a new cluster of Lazarus Group activities focused on targeting independent developers around the world with the aim of stealing cryptocurrencies.
“The Contagious Interview and Wagemole campaigns highlight the evolving tactics of North Korean threat actors as they continue to steal data, land remote jobs in Western countries, and circumvent financial sanctions” , said Seongsu Park, researcher at Zscaler ThreatLabz. said earlier this week.
“With sophisticated obfuscation techniques, cross-platform compatibility, and widespread data theft, these campaigns pose a growing threat to businesses and individuals.”
