A menace actor with ties to the Democratic Individuals’s Republic of Korea (DPRK) has been noticed concentrating on cryptocurrency-related companies with a multi-stage malware able to infecting Apple macOS gadgets.
Cybersecurity firm SentinelOne, which dubbed the marketing campaign Hidden Threat, attributed it with excessive confidence to BlueNoroff, which has been beforehand linked to malware households akin to RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.
The exercise “uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file,” researchers Raffaele Sabato, Phil Stokes, and Tom Hegel mentioned in a report shared with The Hacker Information.
“The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics.”
As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, these campaigns are a part of “highly tailored, difficult-to-detect social engineering” assaults aimed toward staff working within the decentralized finance (DeFi) and cryptocurrency sectors.
The assaults take the type of bogus job alternatives or company funding, participating with their targets for prolonged durations of time to construct belief earlier than delivering malware.
SentinelOne mentioned it noticed an electronic mail phishing try on a crypto-related business in late October 2024 that delivered a dropper utility mimicking a PDF file (“Hidden Risk Behind New Surge of Bitcoin Price.app”) hosted on delphidigital[.]org.
The applying, written within the Swift programming language, has been discovered to be signed and notarized on October 19, 2024, with the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” The signature has since been revoked by the iPhone maker.
Upon launch, the appliance downloads and shows to the sufferer a decoy PDF file retrieved from Google Drive, whereas covertly retrieving a second-stage executable from a distant server and executing it. A Mach-O x86-64 executable, the C++-based unsigned binary acts as a backdoor to execute distant instructions.
The backdoor additionally incorporates a novel persistence mechanism that abuses the zshenv configuration file, marking the primary time the approach has been abused within the wild by malware authors.
“It has particular value on modern versions of macOS since Apple introduced user notifications for background Login Items as of macOS 13 Ventura,” the researchers mentioned.
“Apple’s notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a notification in current versions of macOS.”
The menace actor has additionally been noticed utilizing area registrar Namecheap to determine an infrastructure that is centered round themes associated to cryptocurrency, Web3, and investments to present it a veneer of legitimacy. Quickpacket, Routerhosting, and Hostwinds are among the many mostly used internet hosting suppliers.
It is price noting that the assault chain shares some stage of overlap with a earlier marketing campaign that Kandji highlighted in August 2024, which additionally employed a equally named macOS dropper app “Risk factors for Bitcoin’s price decline are emerging(2024).app” to deploy TodoSwift.
It is not clear what prompted the menace actors to shift their techniques, and if it is in response to public reporting. “North Korean actors are known for their creativity, adaptability, and awareness of reports on their activities, so it’s entirely possible that we’re simply seeing different successful methods emerge from their offensive cyber program,” Stokes advised The Hacker Information.
One other regarding side of the marketing campaign is BlueNoroff’s capability to amass or hijack legitimate Apple developer accounts and use them to have their malware notarized by Apple.
“Over the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ‘grooming’ of targets via social media,” the researchers mentioned.
“The Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident.”
The event additionally comes amid different campaigns orchestrated by North Korean hackers to hunt employment at varied corporations within the West and ship malware utilizing booby-trapped codebases and conferencing instruments to potential job seekers below the guise of a hiring problem or an task.
The two intrusion units, dubbed Wagemole (aka UNC5267) and Contagious Interview, have been attributed to a menace group tracked as Well-known Chollima (aka CL-STA-0240 and Tenacious Pungsan).
ESET, which has given Contagious Interview the moniker DeceptiveDevelopment, has labeled it as a brand new Lazarus Group exercise cluster that is targeted on concentrating on freelance builders around the globe with the goal of cryptocurrency theft.
“The Contagious Interview and Wagemole campaigns showcase the evolving tactics of North Korean threat actors as they continue to steal data, land remote jobs in Western countries, and bypass financial sanctions,” Zscaler ThreatLabz researcher Seongsu Park mentioned earlier this week.
“With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike.”