fbpx
Friday, November 8, 2024
Cyber SecurityTechnology

North Korean hackers use new macOS malware against crypto firms

by Wire Tech

North Korean threat actor BlueNoroff has been targeting crypto-related businesses with a new multi-stage malware for macOS systems.

Researchers are calling the campaign Hidden Risk and say that it lures victims with emails that share fake news about the latest activity in the cryptocurrency sector.

The malware deployed in these attacks relies on a novel persistence mechanism on macOS that does not trigger any alerts on the latest versions of the operating system, thus evading detection.

BlueNoroff is known for cryptocurrency thefts and has targeted macOS in the past using a payload malware called ‘ObjCShellz‘ to open remote shells on compromised Macs.

Infection chain

The attacks start with a phishing email containing crypto-related news and subjects, made to appear as if forwarded by a cryptocurrency influencer to add credibility.

Trending
Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments

The message comes with a link supposedly to read a PDF relating to the piece of information, but points to the "delphidigital[.]org" domain controlled by the attackers.

According to SentinelLabs researchers, the "URL currently serves a benign form of the Bitcoin ETF document with titles that differ over time" but sometimes it serves the first stage of a malicious application bundle that is called ‘Hidden Risk Behind New Surge of Bitcoin Price.app’.

The researchers say that for the Hidden Risk campaign the threat actor used a copy of a genuine academic paper from the University of Texas.

Fake PDF (left) and original source (right)
Fake PDF (left) and original source (right)
Source: SentinelLabs

The first stage is a dropper app signed and notarized using a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has now revoked.

When executed, the dropper downloads a decoy PDF from a Google Drive link and opens it in the default PDF viewer to distract the victim. In the background, though, the next stage payload is downloaded from "matuaner[.]com."

Malware dropper app
Malware dropper app
Source: SentinelLabs

Notably, the hackers have manipulated the app's 'Info. plist' file to allow insecure HTTP connections to the attacker-controlled domain, essentially overriding Apple's App Transport Security policies.

Modified Info.plist file
Source: SentinelLabs

Main backdoor and new persistence mechanism

The second-stage payload, called "growth," is an x86_64 Mach-O binary runs only on Intel and Apple silicon devices that have the Rosetta emulation framework.

It achieves persistence on the system by modifying the ".zshenv" configuration file, which is hidden in the user's home directory and loads during Zsh sessions.

Malicious zshenv file
Source: SentinelLabs

The malware installs a hidden "touch file" in the /tmp/ directory to mark successful infection and persistence, ensuring the payload remains active across reboots and user sessions.

This method makes it possible to bypass persistence detection systems Apple introduced in macOS 13 and later, which alert users via notifications when LaunchAgents are installed on their system.

"Infecting the host with a malicious Zshenv file allows for a more powerful form of persistence," explains SentinelLabs.

"While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors."

Once nested in the system, the backdoor connects with the command-and-control (C2) server, checking for new commands every 60 seconds. The user-agent string used for this has been seen previously in attacks in 2023 attributed to BlueNoroff.

The observed commands are for downloading and executing additional payloads, running shell commands to manipulate or exfiltrate files, or exit (stop the process).

SentinelLabs says the "Hidden Risk" campaign has been running for the last 12 months or so, following a more direct phishing approach that does not involve the typical "grooming" on social media that other DPRK hackers engage in.

The researchers also note that BlueNoroff has shown a consistent capability to source new Apple developer accounts and get their payloads notarized to bypass macOS Gatekeeper.

Related Articles:

Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network

Linux malware “perfctl” behind years-long cryptomining campaign

New RomCom malware variant 'SnipBot' spotted in data theft attacks

New Vo1d malware infects 1.3 million Android streaming boxes

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

________________________________________________________________________________________________________________________________
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________

You may also like

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

A Hacker’s Guide to Password Cracking

Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Unlock the Power of Technology with Tech-Wire: The Ultimate Resource for Computing, Cybersecurity, and Mobile Technology Insights

  • Mumbai, India
  • Email: info@tech-wire.in

Recent Posts

After decades, FDA finally moves to pull ineffective decongestant off...
Amazon’s Mass Effect TV series is actually going to be...
Instagram Expands Post Boosting to Include More Post Types

Userful Links

Our Policies

POPULAR CATEGORIES

Copyright @2023 All Right Reserved 

Facebook Twitter Instagram Linkedin Rss
@2021 - All Right Reserved. Designed and Developed by PenciDesign