North Korean cybercriminals are targeting crypto companies using new stocks that exploit Apple devices in multi-stage attacks.
Researchers at cybersecurity firm Sentinel Labs have issued warnings about campaigns that utilize social engineering and advanced sustainability technologies to compromise the Macau system.
The malware called “Nimdoor” is written in the lesser known NIM programming language and can avoid traditional antivirus tools.
According to Sentinel Labs, attackers will start contacting messaging platforms like Telegram by impersonating trustworthy individuals. In this case, victims who are believed to be employees of blockchain or Web3 companies will be seduced by fake Zoom meetings via phishing links and instructed to install what appears to be a daily Zoom SDK update.
Once executed, the update script installs multiple stages of the malware on the victim’s Mac device. These include Applescript-based beacons, BASH scripts for entitlement theft, and binaries compiled with NIM and C++ for persistence and remote command execution.
You might like it too: Zachxbt warns that North Korean hackers may have more than 900 crypto jobs
A binary is a standalone program file that performs specific tasks within a malware chain. One binary, called CoreKitagent, uses a signal-based persistence mechanism that is executed when a user tries to close the malware, allowing them to remain active even after a system restart.
Cryptocurrency is an important target for operations. Malware specifically seeks credentials and application data stored in browsers related to digital wallets.
The malware runs scripts designed to extract information from popular browsers such as Chrome, Brave, Edge, Firefox, and other, as well as Apple’s Keychain Password Manager. Another component targets Telegram’s encrypted databases and key files, potentially exposing wallet seed phrases and private keys exchanged by messaging apps.
North Korea’s hacker manager
Sentinel Labs attributes the campaign to threat actors lined up with North Korea, continuing the pattern of crypto-centric cyberattacks by the Democratic Republic of Korea.
Hacking groups such as Lazarus have been avoiding international sanctions and have long targeted digital asset companies based on state operations. Previous operations have written malware in Go and Rust, but this campaign is one of NIM’s first major deployments against MacOS targets.
As previously reported by Crypto.News, in late 2023, researchers observed another DPRK-related campaign that deployed Python-based malware known as Kandykorn. It was distributed via Discord servers disguised as crypto arbitrage bots and targeted blockchain engineers primarily using MACO.
Sentinel Labs warns that traditional security assumptions about MacOS are no longer valid as threat actors increasingly adopt obscure programming languages and sophisticated techniques.
Over the past few months, several malware stocks have targeted Apple users, including Sparkkitty, who stole seed phrases through iOS photo gallery, and include a Trojan horse that replaced the MacOS wallet app with a malicious version.
read more: DOJ arrests four North Korean hackers for $900,000 theft
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
