North Korean hackers use Mac malware to target crypto firms

Jump to First Reply
AppleInsiderAppleInsider
Posted:
in macOS

North Korean hackers are using sophisticated Mac malware delivered through fake Zoom invites to break into Web3 and crypto firms, stealing sensitive data while evading standard security measures.

Metallic rounded square with a raised border featuring a small door icon in the center against a dark gradient background.
North Korea targets crypto firms



Security researchers have identified a sophisticated campaign by North Korean-aligned hackers using novel malware to target Web3 and cryptocurrency companies on macOS systems.

The SentinelOne Labs report describes a multi-stage attack chain. This attack chain combines social engineering, deceptive AppleScripts, and binaries compiled in the Nim programming language.

Nim is uncommon on macOS, which complicates detection. The operation, dubbed "NimDoor," demonstrates evolving tactics by DPRK threat groups to compromise security defenses and steal sensitive data from crypto-focused businesses.

How the attack works



The initial compromise often begins with social engineering. Attackers impersonate trusted contacts over Telegram and lure victims into scheduling Zoom calls via Calendly links.

Code editor displaying instructions to update deprecated Zoom SDK with hyperlinks and shell script for accessing the SDK documentation.
The zoom_sdk_support.scpt file contains 10,000 lines of padding with a typo reading "Zook" instead of "Zoom." Image credit: SentinelOne



Victims receive phishing emails with malicious Zoom SDK update scripts that are booby-trapped AppleScript files. These scripts have thousands of padding lines to evade detection and fetch additional malware from attacker-controlled servers that mimic legitimate Zoom domains.

Once executed, these scripts download further payloads to the victim's machine. Researchers found two primary Mach-O binaries -- one written in C++ and another in Nim -- deployed in tandem to maintain persistent access and steal data.

The malware uses unusual techniques for macOS, such as process injection with special entitlements. It also employs encrypted communications over TLS-encrypted WebSockets (wss) and signal-based persistence mechanisms.

These mechanisms reinstall the malware when a user tries to terminate it or when the system reboots.

Advanced data theft and persistence



Data exfiltration is accomplished through Bash scripts that scrape browser history, Keychain credentials, and Telegram data. Targeted browsers include Arc, Brave, Firefox, Chrome, and Microsoft Edge.

The malware also steals encrypted local Telegram databases for potential offline cracking.

Persistence is achieved through clever use of macOS LaunchAgents and deceptive naming conventions. For instance, the malware installs binaries with names like "GoogIe LLC," substituting a capital "i" for a lowercase "L" to blend in with legitimate Google files.

Another binary, "CoreKitAgent," monitors system signals to reinstall itself if terminated. It includes anti-analysis measures such as 10-minute asynchronous sleep cycles to thwart security sandboxes.

Dark-themed code editor displaying a function with conditional statements and hexadecimal values, featuring line numbers, comments, and highlighted syntax in various colors.
Binary Ninja's MLIL view shows how the malware processes commands. Image credit: SentinelOne



According to SentinelOne, the use of Nim for these binaries represents an evolution in threat actor tooling. Nim's compile-time execution and interleaving of developer and runtime code make static analysis more difficult.

AppleScript-based beaconing provides lightweight command-and-control. It does so without relying on heavy post-exploitation frameworks that could more easily trigger alerts.

How to stay safe from NimDoor



Users should avoid running scripts or software updates received through unexpected emails or messages, even if these appear to come from trusted contacts. Careful inspection of URLs is important because attackers often craft lookalike domains to trick victims.

Next, keep macOS and all installed applications updated with the latest security patches. Updated apps reduce vulnerabilities that malware campaigns exploit.

It also helps to use reputable endpoint security tools that can detect suspicious behaviors like process injection, malicious AppleScripts, or unrecognized launch agents. Reviewing login items and LaunchAgents on a regular basis can reveal unauthorized entries that maintain persistence.

Finally, adopt strong, unique passwords and enable multi-factor authentication where available.



Read on AppleInsider

Comments

  • Reply 1 of 2
    mark fearingmark fearing Posts: 473member
    Can't say I'm broken hearted. The entire crypto-bro schemes are stinky and with the orange ones involvement shows exactly the kind of scam they are. So just like drug dealers getting robbed, you sort of expect this.
    sconosciuto
     1Like 0Dislikes 0Informatives
  • Reply 2 of 2
    dewmedewme Posts: 6,079member
    Andrew, very nice analysis and write-up.
    sconosciuto
     1Like 0Dislikes 0Informatives
Sign In or Register to comment.