Cyber security news for all

More

    North Korean Hackers Deploy Sophisticated “Hidden Risk” Malware Targeting Crypto Firms on macOS

    A cyber faction associated with North Korea, believed to be a division of the Democratic People’s Republic of Korea (DPRK), has embarked on an advanced campaign to infiltrate macOS-based cryptocurrency firms with a multi-layered malware framework.

    The cybersecurity entity SentinelOne has identified this operation as Hidden Risk and attributes it with high confidence to the BlueNoroff group, a faction previously linked to malware strains like RustBucket, KANDYKORN, ObjCShellz, RustDoor (known also as Thiefbucket), and TodoSwift.

    SentinelOne’s researchers, Raffaele Sabato, Phil Stokes, and Tom Hegel, noted that Hidden Risk employs phishing emails masquerading as news about cryptocurrency trends, enticing targets to download malware disguised as a PDF file.

    “The campaign likely initiated as early as July 2024, using crypto-related headlines as lures in its email phishing endeavors,” the researchers disclosed in a report shared with The Hacker News.

    The U.S. Federal Bureau of Investigation (FBI) further exposed these incursions in a September 2024 bulletin, describing them as “exceedingly tailored, subtle social engineering” maneuvers crafted for employees within the decentralized finance (DeFi) and cryptocurrency industries.

    Commonly, these attacks manifest as offers of fictional employment opportunities or corporate investments, gradually cultivating trust with victims over time before executing the malware payload.

    In October 2024, SentinelOne documented an email targeting a cryptocurrency industry recipient, containing a dropper application camouflaged as a PDF (“Hidden Risk Behind New Surge of Bitcoin Price.app”), hosted on delphidigital[.]org. This application, developed in Swift, was originally signed and notarized with the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948)” on October 19, 2024. Apple has since revoked this signature.

    Upon activation, the malicious app displays a decoy PDF obtained from Google Drive while silently downloading a secondary executable from an external server. This secondary payload, an unsigned Mach-O x86-64 binary coded in C++, serves as a backdoor for remote command execution.

    Adding to the concern, the backdoor leverages a persistence mechanism through the zshenv configuration file, marking the first documented abuse of this technique by malware developers on macOS.

    “This technique has particular utility on modern macOS iterations, as Apple now issues alerts when certain background processes or login items are configured. By targeting zshenv, the malware circumvents this alert system,” explained the researchers.

    To further establish legitimacy, BlueNoroff reportedly utilized the domain registrar Namecheap to establish web infrastructure adorned with cryptocurrency, Web3, and investment themes. Hosting services like Quickpacket, Routerhosting, and Hostwinds were also deployed extensively.

    This campaign exhibits a degree of overlap with a previously noted assault, cataloged by Kandji in August 2024, which utilized a similar macOS dropper titled “Risk factors for Bitcoin’s price decline are emerging(2024).app” to propagate TodoSwift.

    What has precipitated these new tactics remains uncertain, though North Korean operatives have a history of adapting their techniques in response to exposure. “These actors are notorious for their ingenuity, adaptability, and attentiveness to reports detailing their activities, so it’s quite conceivable we’re witnessing another inventive stratagem from their offensive cyber initiatives,” Stokes remarked to The Hacker News.

    A disquieting facet of the Hidden Risk operation is BlueNoroff’s capacity to obtain or compromise authentic Apple developer accounts, enabling malware notarization by Apple—a significant foothold that enhances their evasion techniques.

    In recent months, North Korean cyber actors have increasingly focused on targeting the cryptocurrency sector, often utilizing prolonged social media interactions to groom victims. However, the Hidden Risk campaign departs from these subtle maneuvers, opting instead for a more straightforward phishing approach while retaining hallmarks typical of DPRK-supported operations.

    These developments coincide with broader DPRK-led cyber campaigns to infiltrate Western firms, occasionally masking malware as part of legitimate job recruitment tasks or freelance assignments. Notably, two intrusion campaigns, codenamed Wagemole (also known as UNC5267) and Contagious Interview, have been linked to a larger threat entity referred to as Famous Chollima (alternatively CL-STA-0240 or Tenacious Pungsan).

    Security firm ESET, which has labeled Contagious Interview as DeceptiveDevelopment, categorizes it as an emergent cluster within the Lazarus Group, concentrated on targeting freelancers worldwide in pursuit of cryptocurrency theft.

    “These campaigns illustrate North Korean cyber actors’ evolution in refining obfuscation, extending platform compatibility, and orchestrating widespread data heists. Their strategies pose a growing menace to companies and individuals alike,” observed Zscaler ThreatLabz researcher Seongsu Park earlier this week.

    Recent Articles

    Related Stories