North Korean hackers are behind a new and unusually sophisticated macOS malware campaign that targets the crypto industry using fake Zoom invites. Here’s how it works.
Dubbed “NimDoor” by researchers at SentinelLabs, the attack is more sophisticated than the typical macOS threat, and it chains together AppleScript, Bash, C++, and Nim to exfiltrate data and maintain access in compromised systems.
Here’s SentinelLabs’ executive summary of the hack:
DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.
Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
The threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors.
Bash scripts are used to exfiltrate Keychain credentials, browser data and Telegram user data.
SentinelLABS’ analysis highlights novel TTPs and malware artifacts that tie together previously reported components, extending our understanding of the threat actors’ evolving playbook.
How it actually works, in a nutshell
... continue reading