North Korean cybercriminals are implicated in a newly launched and notably advanced macOS malware initiative that aims at the cryptocurrency sector through fraudulent Zoom invitations. Here’s the operational overview.
Referred to as “NimDoor” by analysts at SentinelLabs, this attack surpasses typical macOS threats in sophistication, combining AppleScript, Bash, C++, and Nim to extract data and sustain access within infiltrated systems.
Here’s the executive summary from SentinelLabs regarding the breach:
– Actors from the DPRK are utilizing binaries compiled with Nim and an array of attack sequences targeting businesses associated with Web3 and cryptocurrency.
– Uncharacteristically for malware aimed at macOS, these threat actors use a process injection method and remote interactions through wss, the TLS-secured variant of the WebSocket protocol.
– An innovative persistence strategy leverages SIGINT/SIGTERM signal handlers to ensure persistence when the malware is stopped or the system is restarted.
– The perpetrators deploy AppleScripts extensively, both to gain initial entry and subsequently in the attack sequence to act as minimal beacons and backdoors.
– Bash scripts facilitate the extraction of Keychain credentials, browser information, and Telegram user data.
– The analysis by SentinelLabs underscores new TTPs and malware artifacts that link previously reported elements, deepening our comprehension of the evolving tactics employed by these threat actors.
### How it operates, in summary
Through social manipulation, victims are contacted on Telegram by an individual pretending to be a trusted associate. They are instructed to arrange a call via Calendly, followed by an email that includes a counterfeit Zoom link and directions to execute a phony “Zoom SDK update.” According to SentinelLabs, this file “is heavily padded, containing 10,000 lines of whitespace to disguise its actual purpose.”
Upon execution, it initiates a complex sequence of actions that establishes an encrypted link with a command-and-control server. It also contains failover functionality that reinstalls critical components if the system restarts or the malware process is halted.
Once the binaries and persistence strategies of the hack are installed, the malware employs Bash scripts to gather and exfiltrate credentials and confidential information, including Keychain credentials, browser information, and Telegram data.
### The comprehensive technical exploration is highly recommended
For those interested in an in-depth understanding of the hack’s functionality, the SentinelLabs report provides comprehensive hash listings, code examples, screenshots, and attack flow charts, along with a much more thorough examination of each phase, from the bogus Zoom update to the ultimate data exfiltration.
The researchers further indicate that NimDoor signifies a wider trend toward more intricate and less recognized cross-platform programming languages in macOS malware, moving away from the Go, Python, and shell scripts that North Korean cybercriminals have historically employed.
