North Korean hackers are luring employees at web3 and crypto-related organizations into installing Nim-compiled macOS malware via fake Zoom software updates, SentinelOne reports.
The observed attacks follow an infection chain recently attributed to Pyongyang APT BlueNoroff: hackers impersonate a victim’s trusted contact to invite them over Telegram to schedule a meeting via the popular Calendly scheduling platform.
The victim then receives an email containing a link to a Zoom meeting, and is instructed to run a malicious script posing as a Zoom SDK update. The script’s execution triggers a multi-stage infection chain leading to the deployment of malicious binaries that SentinelOne collectively tracks as NimDoor.
Analysis of the attacks revealed novel techniques employed by the hacking group, such as using the Nim programming language to build macOS binaries, abusing wss for process injection and remote communication, and relying on specific signal handlers for persistence.
Nim is a statically typed compiled systems programming language that combines concepts from other programming languages such as Python, Ada and Modula.
“The Nim stages contain some unique features including encrypted configuration handling, asynchronous execution built around Nim’s native runtime, and a signal-based persistence mechanism previously unseen in macOS malware,” SentinelOne notes in a technical writeup.
AppleScripts were also used widely throughout the infection chain, both for initial access and for post-compromise operations such as beaconing and system backdooring. Bash scripts were deployed for Keychain, browser, and Telegram data exfiltration.
According to SentinelOne, the attackers were seen leveraging two Mach-O binaries to set off two independent execution chains.
One, written in C++, leads to the execution of bash scripts for data exfiltration, while the other, compiled from Nim source code, sets up persistence and drops two Nim-compiled binaries, namely ‘GoogIe LLC’ (uses typo spoofing, replacing lowercase “L” with uppercase “i”) and ‘CoreKitAgent’.
GoogIe LLC is designed to set up a configuration file and to execute CoreKitAgent, a complex Nim binary that “operates as an event-driven application using macOS’s kqueue mechanism”, SentinelOne says.
Together, the two payloads establish persistent access and recovery mechanisms that rely on signal handlers to intercept termination signals from SIGINT and SIGTERM, and re-deploy the core components.
“Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level,” SentinelOne notes.
Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting
Related: North Korean Hackers Target macOS Users
Related: $223 Million Stolen in Cetus Protocol Hack
Related: North Korean Cryptocurrency Thieves Caught Hijacking Zoom ‘Remote Control’ Feature
