North Korean hackers are attacking the crypto industry with novel multi-stage malware, SentinelLabs warns. Attackers are using a signed and notarized code to bypass macOS defenses.
SentinelLabs discovered a new phishing campaign that has been active since October 2024. It builds upon previous iterations.
In early September, the FBI warned that North Korea (DPRK) was conducting “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (DeFi), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.”
The current attack relies on a dropper application and payload resembling previous attacks. SentinelLabs dubbed the campaign ‘Hidden Risk’ as attackers use a novel persistence mechanism.
“We believe the campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics,” the researchers said in a report shared with Cybernews before the public release.
They attribute the attacks to BlueNoroff, a financially motivated North Korean threat actor with links to the infamous Lazarus, known for targeting the financial sector.
Initially, attackers attempt to gain access via phishing emails. They lure users into clicking a malicious link, which leads to a PDF document relating to crypto topics, such as “Hidden Risk Behind New Surge of Bitcoin Price,” “Altcoin Season 2.0-The Hidden Gems to Watch,” and “New Era for Stablecoins and DeFi, CeFi.”
To appear trustworthy, hackers craft phishing emails to look like they were forwarded by well-known crypto influencers. They also use hijacked names of real people from unrelated industries as the original senders.
Upon clicking the link, victims download a malicious application disguised as a PDF. The analyzed malware was called the ‘Hidden Risk Behind New Surge of Bitcoin Price.app.’
Hackers made this app appear legitimate as the bundle was signed and notarized on 19th October 2024 with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” This signature has since been revoked by Apple.
SentinelLabs noted that the ability to acquire or hijack valid Apple 'identified developer' accounts is relatively consistent throughout many North Korean hackers' campaigns. That allows them to bypass macOS Gatekeeper and other built-in Apple security technologies.
How does the malware work?
This application then downloads both the decoy PDF and an additional malicious payload. Unlike the previous phishing campaigns, the lure was very crude and unsophisticated. It did not engage recipients with any contextually relevant content. The PDF contained an academic research paper.
The malicious part downloads and executes a second stage that will run on Intel architecture Macs or M-series devices with the Rosetta emulation.
The malware, named ‘growth,’ was not code-signed at all, its size was around 5.1MB, and it contained many functions for maintaining persistence, gathering information from the host, and remote command execution. It enables attackers to send and execute ‘any commands.’
What is unique about the malware is its persistence mechanism, which abuses the Zshenv configuration file.
“Zshenv is one of several optional configuration files used by the Zsh shell (default command-line shell on macOS). At the user level, it sits as a hidden file in the Home directory, ~/.zshenv,” the report details.
“Infecting the host with a malicious Zshenv file allows for a more powerful form of persistence. While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors.”
Abusing Zshenv doesn’t trigger a notification for background Login Items in current macOS versions, making the compromise less noticeable.
The BlueNoroff threat actor employs a vast network infrastructure for the delivery and command and control, containing dozens of malicious IPs and domains for a campaign, often mimicking legitimate crypto/fintech companies. The overlapping infrastructure made attribution easier.
“Over recent months, the actor has built a network of connected infrastructure often themed around their cryptocurrency interests, methods of delivering malware lures, and mimicking legitimate Web3, cryptocurrency, fintech, and investment organizations to appear legitimate.”
The researchers have also observed hackers exploiting automation tools, such as Brevo. BlueNoroff continues to evolve, pivoting to new, unique methods.
The blunt initial infection – email phishing – approach is not necessarily any less effective.
“Heightened attention on previous DRPK campaigns could have reduced the effectiveness of previous 'social media grooming' attempts, perhaps as a result of intended targets in DeFi, ETF, and other crypto-related industries becoming more wary,” SentinelLabs researchers speculate.
“But it is equally likely that such state-backed threat actors have sufficient resources to pursue multiple strategies simultaneously.”
SentinelLabs encourages macOS users to increase their awareness of potential risks and harden their security as macOS crimeware becomes more common.
Your email address will not be published. Required fields are markedmarked