North Korean criminals target crypto companies with Mac malware

IT security researchers from Sentinel have discovered a new malware campaign that they attribute to the North Korean cybercriminal group Blue Noroff. The attackers are targeting companies in the cryptocurrency sector with macOS-specific multi-stage malware.

"Hidden risk"

According to the IT researchers, the attackers lure their victims with emails that they disguise as newsletters about cryptocurrency trends. The attackers use the name of a real person as the sender, who forwards the email from a crypto influencer. Victims become infected when they click on a link to supposed PDF files in the email with enticing titles such as "The hidden risk behind the new Bitcoin price rise". Based on the PDF name, the researchers have named the campaign HiddenRisk.

During the initial infection, a so-called dropper is installed on the system in question. This is a software package that contains a virus. This nests itself on the system and then downloads further malware.

The dropper, written in the Swift programming language developed by Apple, was signed and notarized on 19 October by the Apple developer ID "Avantis Regtech Private Limited (2S8XHJ7948)". Apple has since revoked the signature. Such a signature and notarization actually serve to confirm the functionality and security of software.

To distract the victims, a PDF is actually downloaded after clicking on the link and opened in the PDF viewer. In the background, however, the dropper downloads further malicious code from the network. It overrides Apple's App Transport security policy and ensures that insecure HTTP connections to a domain controlled by the attackers are accepted on the system.

In the next step, this malicious code nests in the form of a manipulated .zshenv configuration file in a hidden directory in the home directory, unnoticed by the user. This is an x86-64 Mach-O binary, which means that it only runs on Macs with Intel processors – and on Apple Silicon Macs with Rosetta emulation software installed.

Sighted for the first time in real attacks

According to the researchers, the variant of injecting a malicious .zshenv file into the system is not fundamentally new, but has not yet been detected in real attacks. In this way, the attackers bypass the operating system's persistence detection systems introduced in macOS 13, which would actually warn users of suspicious processes, such as the installation of LaunchAgents, through notifications.

According to the blog post, it is also noteworthy that the threat actors have apparently repeatedly managed to obtain Apple developer IDs and have their malware notarized. The fact that North Korean attackers are targeting crypto companies is nothing new. However, cyber criminals from North Korea are apparently also attempting to finance the nuclear weapons development program sanctioned by the United Nations in other ways. In October, the Office for the Protection of the Constitution warned of North Korean IT workers offering their services as freelancers on job platforms for this purpose.

(kst)