A new form of macOS malware is being used by devious North Korean hackers
BlueNoroff targets crypto businesses with new malware
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece ofmalwareto attack their victims.
Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.
Usually, the group would “groom” their victims on social media, before deploying any malware. In this campaign, however, they’ve decided for a more direct approach.
Hidden Risk
As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.
The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.
The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named “Hidden Risk”.
The malware comes in multiple stages. The first stage is a dropper app, signed with a validAppleDeveloper ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim busy while the second-stage payload is deployed in the background.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This payload is called “growth”, and its goal is to establish persistence and open up a back door to the infected device. It only works on macOS devices, running onIntelor Apple silicon, with the Rosetta emulation framework. The final stage is to check in with the C2 server for new commands every minute, which include downloading and running additional payloads, running shell commands, or terminating the process.
The campaign has been active for at least a year, the researchers said.
ViaBleepingComputer
You might also like
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Scammers are using fake copyright infringement claims to hack businesses
HPE reveals critical security bug affecting networking access points
Samsung Galaxy Tab S10 Plus review: a performance powerhouse for artists