A notorious threat actor affiliated with North Korea is reportedly targeting cryptocurrency firms using a sophisticated multi-stage malware campaign and a unique persistence mechanism, according to a recent report by SentinelLabs.
The campaign, dubbed ‘Hidden Risk’, has been attributed with high confidence to the BlueNoroff advanced persistent threat (APT) group, known for engaging in financially-motivated attacks. This particular campaign is specifically designed to target macOS devices.
The attack begins with a phishing email that contains a link to a malicious application, leading to the deployment of two types of malware upon initial infection. One of the key highlights of the campaign is the innovative persistence mechanism found in a backdoor, which exploits the Zshenv configuration file.
One notable aspect of the attack is the attackers’ ability to acquire or hijack valid Apple ‘identified developer’ accounts at will, enabling them to bypass macOS Gatekeeper and other built-in Apple security technologies.
The ‘Hidden Risk’ campaign, which was observed by SentinelLabs in October 2024 but likely began as early as July 2024, marks a departure from previous North Korean attacks targeting crypto-related industries. Unlike previous attacks that involved extensive social media ‘grooming’ of targets, this campaign adopts a more traditional and direct email phishing approach.
Despite the simplicity of the initial infection method, the campaign exhibits characteristics typical of previous Democratic Republic of North Korea (DPRK)-backed campaigns in terms of malware artifacts and network infrastructure.
In response to this campaign and the overall increase in macOS crimeware, SentinelLabs advises all macOS users to enhance their security measures and remain vigilant against potential risks.
The FBI has also issued a warning about North Korean cyber actors using sophisticated social engineering tactics against cryptocurrency operations, further highlighting the need for increased cybersecurity awareness.
The malware campaign initiated through a phishing email containing a link to a malicious application disguised as a PDF document related to cryptocurrency topics. The application, signed and notarized with an Apple Developer ID, downloads and executes a malicious binary leading to a backdoor designed to execute remote commands.
One of the most intriguing aspects of the campaign is the novel persistence technique employed by the backdoor, which leverages the Zshenv configuration file used by the Zsh shell. This technique allows for persistent execution of malicious commands across various Zsh sessions without triggering user notifications on modern versions of macOS.
The campaign has been attributed to BlueNoroff based on analysis of the actor-controlled network infrastructure. This sophisticated attack underscores the importance of robust cybersecurity measures for all macOS users, especially those in the cryptocurrency industry.