Threat actors associated with the Democratic People’s Republic of Korea (DPRK, aka North Korea) were found to be embedding malware into Flutter apps, marking the first time an adversary has adopted this tactic to infect Apple macOS devices.
Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the apps created by Flutter are part of a broader operation that includes malware written in Golang and Python.
It is currently unknown how these samples are being distributed to victims, whether they have been used against any targets, or whether attackers are switching to a new delivery method. At the same time, it is known that North Korean threat actors are involved in this extensive social engineering efforts targeting employees of cryptocurrency and decentralized financial companies.
“We suspect that these particular examples are test cases,” Jaron Bradley, director of Jamf Threat Labs, told The Hacker News. “Maybe they haven’t been distributed yet. It’s hard to say. But yes. The attacker’s social engineering techniques have worked very well in the past, and we suspect that they will continue to use these techniques.”
Jamf has not attributed the malicious activity to a specific hacking group linked to North Korea, but it is likely the work of a Lazarus subgroup known as BlueNoroff. This connection stems from an infrastructure overlap with malware called CANDY CORN and Hidden Risk Company recently allocated Sentinel One.
What sets the new malware apart is its use of Flutter, a cross-platform application development framework, to embed a core payload written in Dart under the guise of a full-featured Minesweeper game. The app is called “New Updates in Crypto Exchange (2024-08-28)”.
Moreover, the game looks like a clone of the base Flutter game for iOS publicly available on GitHub. Notably, the use of game-themed decoys has also been seen in conjunction with another North Korean hacking group tracked as Moonstone.
These applications have also been signed and notarized using the Apple Developer IDs of BALTIMORE JEWISH COUNCIL, INC. (3AKYHFR584) and FAIRBANKS CURLING CLUB INC. (6W69GC943U), suggesting that threat actors may be able to bypass Apple notarization process. The signatures have since been revoked by Apple.
Once launched, the malware sends a network request to a remote server (“mbupdate.linkpc(.)net”) and is configured to execute the AppleScript code received from the server, but not before it is written back.
Jamf said it has also identified variants of the malware written in Go and Python, with the latter built using Py2App. The apps – called NewEra for Stablecoins and DeFi, CeFi (Protected).app and Runner.app – are equipped with similar capabilities to run any AppleScript payload received in the server’s HTTP response.
Recent developments are a sign that North Korean threat actors are actively developing malware using multiple programming languages to infiltrate cryptocurrency companies.
“The malware discovered in the actor in recent years comes in many variants with frequently updated iterations,” Bradley said. “We suspect this is due to efforts to remain undetected and support malware that looks different with each release. In the case of Dart, we suspect this is because contributors have found that Flutter applications create a lot of obscurity due to their post-compile architecture.”
