Cyber operatives associated with North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), have been linked to a new wave of malicious activity targeting macOS systems through a previously unseen tactic: embedding malware within Flutter applications. This marks a notable shift in strategy, as it’s the first documented instance of such an approach aimed at Apple’s operating system.
According to an investigation led by Jamf Threat Labs, the discovery emerged after malicious samples were uploaded to VirusTotal. The threat campaign, thought to encompass malware variants developed in languages such as Golang and Python, represents an expanding set of techniques used by DPRK threat actors.
The exact method by which these samples reach their targets remains obscure, leaving uncertainty over whether they’ve already infiltrated intended victims or if the distribution method is in a testing phase. Historically, North Korean-linked hacking groups have used sophisticated social engineering tactics to lure individuals in cryptocurrency and decentralized finance sectors, raising suspicions that similar ploys are at play here.
“We believe these particular samples are likely experimental,” remarked Jaron Bradley, director at Jamf Threat Labs, in a conversation with The Hacker News. “They might not yet be in wide circulation. Nonetheless, the adversary’s social engineering tactics have proven effective in the past, and it’s reasonable to anticipate they’ll continue to rely on those.”
While Jamf hasn’t attributed this specific campaign to a particular North Korean hacking faction, it indicated a probable link to the Lazarus Group offshoot known as BlueNoroff. This inference arises from shared infrastructure seen in campaigns involving the KANDYKORN malware and the recently exposed “Hidden Risk” operation spotlighted by Sentinel One.
What sets this new malware apart is its use of Flutter—a cross-platform development toolkit—for concealing the primary malicious payload, written in Dart. Masquerading as a legitimate game, dubbed “New Updates in Crypto Exchange (2024-08-28),” the application poses as a functional Minesweeper clone. Notably, the game bears a striking resemblance to a simple Flutter game available on GitHub, underscoring the attackers’ use of easily accessible code to enhance deception.
Intriguingly, these malicious applications carry valid Apple developer signatures, registered to entities named BALTIMORE JEWISH COUNCIL, INC. (3AKYHFR584) and FAIRBANKS CURLING CLUB INC. (6W69GC943U). This implies that the attackers have managed to slip through Apple’s notarization process, although Apple has since revoked these signatures.
Upon execution, the malware initiates a network request to a command-and-control server (“mbupdate.linkpc[.]net”) and is designed to process and execute AppleScript commands sent from the server, albeit with an additional layer of obfuscation by reversing the script text.
Jamf’s analysis also unearthed additional malware strains in Go and Python, with the latter packaged using Py2App. These applications, named “NewEra for Stablecoins and DeFi,” “CeFi (Protected).app,” and “Runner.app,” display analogous functions, receiving executable AppleScript commands embedded within the HTTP response from the control server.
This latest revelation underscores a broader trend: DPRK-aligned actors are diversifying their malware arsenal across multiple programming languages, aiming to breach the security of cryptocurrency firms and evade detection.
“Over the years, this threat actor has produced numerous malware variants, each iterated upon to minimize detection risks and keep their tools looking unique,” Bradley stated. “In leveraging Dart through Flutter, we surmise they’ve recognized the obscurity inherent in Flutter’s compiled app architecture as advantageous for hiding malicious components.”