CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

North Korean Hackers Target macOS Users

North Korean cryptocurrency thieves caught targeting macOS with fake PDF applications, backdoors and new persistence tactics.

North Korea

North Korean cryptocurrency thieves are once again targeting macOS users with a new malware campaign that uses phishing emails, fake PDF applications, and a novel technique to evade Apple’s security measures.

According to fresh research from SentinelOne, the notorious BlueNoroff hacking team was caught sending phishing lures with fake news headlines or stories about crypto-related topics to targets at decentralized finance (DeFi) and cryptocurrency businesses.

Inside the emails, the North Korean government-backed hackers embedded a malicious macOS application disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”.

SentinelOne said the campaign, called ‘Hidden Risk’, also abuses the ‘zshenv’ configuration file to maintain persistence without triggering macOS Ventura’s background item modification notifications.

The macOS notifications are designed to alert users to changes in common persistence methods like LaunchAgents and LaunchDaemons.

According to SentinelOne documentation, the first-stage malware is a macOS application written in Swift, named identically to the embedded PDF document. The application is signed and notarized using a legitimate Apple Developer ID (since revoked) and, upon execution,downloads a decoy PDF from a Google Drive link and opens it using the default macOS PDF viewer to avoid arousing suspicion.

In tandem, SentinelOne researchers observed the malware downloading and executing a malicious x86-64 binary from a hard-coded URL. The application bypasses macOS security features by specifying exceptions in its Info.plist file to allow insecure HTTP connections, the companies said.

The company also documented the use of a second-stage backdoor that collects system information, generates a unique identifier, and establishes communication with a command-and-control (C2) server. 

Advertisement. Scroll to continue reading.

SentinelOne said the backdoor is programmed to send the OS version, hardware model, and process list to the C2 server and awaits further instructions.

BlueNoroff is publicly documented as a sub-group within North Korea’s Lazarus APT operation.The group specializes in financial cybercrime, particularly targeting banks and cryptocurrency exchanges to fund the North Korean regime. 

Related: New MacOS Malware Linked to North Korean Hackers

Related: North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware

Related: North Korean APT Expands Its Attack Repertoire

Related: North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.