A threat actor linked to the Democratic People’s Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with multi-stage malware capable of infecting Apple macOS devices.
Cyber security company SentinelOne, which christened the company Hidden riskattributed it with high confidence to BlueNoroff, which has previously been linked to malware families such as RustBucket, CANDY CORN, ObjCShellz, RustBy (aka A thief’s bucket), and TodoSwift.
Researchers Rafael Sabato, Phil Stokes, and Tom Hegel use emails spreading fake news about cryptocurrency trends to infect targets through a malicious application disguised as a PDF file. said in a report shared with The Hacker News.
“The campaign likely started as early as July 2024 and uses email and PDF baits with fake news headlines or stories on crypto-related topics.”
How revealed According to the US Federal Bureau of Investigation (FBI) in September 2024, these campaigns are part of a “tailored and difficult to detect social engineering” attack targeting employees working in the decentralized finance (DeFi) and cryptocurrency sectors.
Attacks take the form of fake employment opportunities or corporate investments, engaging with targets for extended periods of time to build trust before delivering the malware.
SentinelOne said that in late October 2024, it observed a phishing email attempt in the crypto-related industry that delivered a PDF-impersonating dropper program (“Hidden Risk Behind New Surge of Bitcoin Price.app”) placed at delphidigital(.)org.
The app, written in the Swift programming language, was found to be signed and notarized on October 19, 2024, with the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948)”. The signature has since been withdrawn by the iPhone manufacturer.
Once launched, the program downloads and shows the victim a spoofed PDF file obtained from Google Drive, while secretly extracting the second-stage executable from a remote server and running it. The Mach-O x86-64 executable, a C++-based unsigned binary, acts as a backdoor to execute remote commands.
The backdoor also includes a new storage mechanism that abuses the zshenv configuration file, marking the first time this technique has been abused in the wild by malware authors.
“This is of particular value for current versions of macOS, as Apple introduced user notifications for background logins in macOS 13 Ventura,” the researchers said.
“Apple’s notification is intended to alert users when a retention method is installed, specifically LaunchAgents and LaunchDaemons, which are often abused. However, Zshenv abuse does not trigger such a notification in current versions of macOS.”
The threat actor has also been seen using domain registrar Namecheap to build an infrastructure centered around cryptocurrency, Web3 and investment-related topics to give it the appearance of legitimacy. Quickpacket, Routerhosting and Hostwinds are some of the most commonly used hosting providers.
It should be noted that the chain of attacks overlaps to some extent with a previous campaign that Kandji highlighted in August 2024, which also used a dropper app for macOS with the similar name “Bitcoin Decline Risk Factors Emerging (2024).app” to deploy TodoSwift.
It is not clear what prompted the threat actors to change their tactics, and if it was in response to public reports. “North Korean actors are known for their creativity, adaptability, and awareness of reporting their activities, so it’s possible that we’re just seeing a variety of successful techniques emerging from their offensive cyber program,” Stokes told The Hacker News.
Another disturbing aspect of the campaign is BlueNoroff’s ability to acquire or hijack real Apple developer accounts and use them to notarize their Apple malware.
“Over the past 12 months or so, North Korean cyber actors have engaged in a number of campaigns against crypto-related industries, many of which have involved intensive ‘grooming’ of targets via social media,” the researchers said.
“Hidden Risk deviates from this strategy and uses a more traditional and crude, though not necessarily less effective, approach to email phishing. Despite the crudeness of the initial infection method, other hallmarks of previous North Korean-backed campaigns are evident.”
The development also comes amid other campaigns by North Korean hackers to search for jobs at various companies in the West and deliver malware using mined codebases and conferencing tools to potential job seekers under the guise of job offers or assignments.
The two sets of intrusionsduplicated Vagemol (aka UNC5267) and Contagious interviewwere assigned to a threat group tracked as Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).
ESET, which named Contagious Interview Deceptive developmentclassified it as a new Lazarus Group activity cluster targeting freelance developers around the world to steal cryptocurrency.
“Contagious Interview and Wagemole demonstrate the evolution of tactics by North Korean threat actors who continue to steal data, telecommute to Western countries, and evade financial sanctions,” Seonsu Park, Zscaler ThreatLabz researcher said earlier this week.
“With advanced obfuscation techniques, cross-platform compatibility, and widespread data theft, these companies pose a growing threat to businesses and individuals alike.”
