A threat actor with ties to the Democratic People’s Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.
Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.
The activity “uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file,” researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News.
“The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics.”
As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, these campaigns are part of “highly tailored, difficult-to-detect social engineering” attacks aimed at employees working in the decentralized finance (DeFi) and cryptocurrency sectors.
The attacks take the form of bogus job opportunities or corporate investment, engaging with their targets for extended periods of time to build trust before delivering malware.
SentinelOne said it observed an email phishing attempt on a crypto-related industry in late October 2024 that delivered a dropper application mimicking a PDF file (“Hidden Risk Behind New Surge of Bitcoin Price.app”) hosted on delphidigital[.]org.
The application, written in the Swift programming language, has been found to be signed and notarized on October 19, 2024, with the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” The signature has since been revoked by the iPhone maker.
Upon launch, the application downloads and displays to the victim a decoy PDF file retrieved from Google Drive, while covertly retrieving a second-stage executable from a remote server and executing it. A Mach-O x86-64 executable, the C++-based unsigned binary acts as a backdoor to execute remote commands.
The backdoor also incorporates a novel persistence mechanism that abuses the zshenv configuration file, marking the first time the technique has been abused in the wild by malware authors.
“It has particular value on modern versions of macOS since Apple introduced user notifications for background Login Items as of macOS 13 Ventura,” the researchers said.
“Apple’s notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a notification in current versions of macOS.”
The threat actor has also been observed using domain registrar Namecheap to establish an infrastructure that’s centered around themes related to cryptocurrency, Web3, and investments to give it a veneer of legitimacy. Quickpacket, Routerhosting, and Hostwinds are among the most commonly used hosting providers.
It’s worth noting that the attack chain shares some level of overlap with a previous campaign that Kandji highlighted in August 2024, which also employed a similarly named macOS dropper app “Risk factors for Bitcoin’s price decline are emerging(2024).app” to deploy TodoSwift.
It’s not clear what prompted the threat actors to shift their tactics, and if it’s in response to public reporting. “North Korean actors are known for their creativity, adaptability, and awareness of reports on their activities, so it’s entirely possible that we’re simply seeing different successful methods emerge from their offensive cyber program,” Stokes told The Hacker News.
Another concerning aspect of the campaign is BlueNoroff’s ability to acquire or hijack valid Apple developer accounts and use them to have their malware notarized by Apple.
“Over the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ‘grooming’ of targets via social media,” the researchers said.
“The Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident.”
The development also comes amid other campaigns orchestrated by North Korean hackers to seek employment at various companies in the West and deliver malware using booby-trapped codebases and conferencing tools to prospective job seekers under the guise of a hiring challenge or an assignment.
The two intrusion sets, dubbed Wagemole (aka UNC5267) and Contagious Interview, have been attributed to a threat group tracked as Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).
ESET, which has given Contagious Interview the moniker DeceptiveDevelopment, has classified it as a new Lazarus Group activity cluster that’s focused on targeting freelance developers around the world with the aim of cryptocurrency theft.
“The Contagious Interview and Wagemole campaigns showcase the evolving tactics of North Korean threat actors as they continue to steal data, land remote jobs in Western countries, and bypass financial sanctions,” Zscaler ThreatLabz researcher Seongsu Park said earlier this week.
“With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike.”
