North Korean hackers are targeting crypto-related businesses with phishing emails and novel macOS-specific malware.
The crypto-related phishing campaign
Since July 2024, phishing emails seemingly containing helpful information on risks related to the rise of the price of Bitcoin have been sent to intended victims in cryptocurrency-related industries, SentinelLabs researchers have found.
The phishing email (Source: SentinelLabs)
The email urges the recipient to click on the “Open” button to download a PDF file, but doing that will trigger the download of a malicious macOS application bundle named “Hidden Risk Behind New Surge of Bitcoin Price.app”.
Once launched, the app downloads and opens a decoy PDF file containing a genuine research paper pubilshed earlier this year. Simultaneously – and covertly – it also downloads and executes a malicious binary from a hard-coded URL.
The malware
Recipients who don’t notice that the PDF is actually an app and start it won’t receive any kind of warning from macOS, because the malicious application bundle was signed and notarized by an Apple Developer Program member. (The developer signature has since been revoked by Apple.)
“A valid code signature and notarization together tell Gatekeeper that the file is safe to run. There is no rule in Apple’s XProtect or XProtectRemediator [a malware removal tool] for this malware,” Phil Stokes, Senior Researcher at SentinelLabs, told Help Net Security.
The malicious app functions as the first stage dropper. The malware it downloads is a Mach-O x86-64 executable that, according to the researchers, “will only run on Intel architecture Macs or Apple silicon devices with the Rosetta emulation framework installed.”
The executable is a novel backdoor that is capable of assuring its persistence on the target system, gathering and sending information about the host system and the prosesses running on it, and executing commands received from the command and control (C2) server used by the attackers.
“We do not call this backdoor “RustBucket” as there are significant differences (for one, it’s not written in Rust),” Stokes told us.
“We have not given the backdoor a public name at present. We continue to hunt for further samples to establish if it is part of a wider family or a custom build.”
New TTPs
The malware artifacts and the network infrastructure associated with this campaign point to BlueNoroff, a sub-group of the North Korean Lazarus APT that focuses on financially motivated intrusions.
The group’s tactics, techniques and procedures change with time. For this campaign, for example, they’ve switched from “grooming” targets via social media to the email phishing approach to achieve the initial infection.
“We might speculate that heightened attention on previous [Democratic People’s Republic of Korea] campaigns could have reduced the effectiveness of previous ‘social media grooming’ attempts, perhaps as a result of intended targets in DeFi, ETF and other crypto-related industries becoming more wary, but it is equally likely that such state-backed threat actors have sufficient resources to pursue multiple strategies simultaneously,” the researchers noted.
Another new trick is the use of a more powerful form of persistence by installing a malicious Zshenv (Z shell configuration) file.
“Any interactive or non-interactive Zsh session will execute the commands written to ~/.zshenv. In the case of this malware, the commands launch the backdoor written to disk earlier by the stage-one dropper,” Stokes told Help Net Security, and added that if the backdoor has been removed, the persistence mechanism will not be able to reinstall it.
This technique is particularly valuable since Apple introduced user notifications for background Login Items in macOS 13 (Ventura).
“Apple’s notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a notification in current versions of macOS,” the researchers explained.
What remains a constant for North Korean hackers is the abuse of Apple developer accounts to sign the malware, which means that MacOS’s built-in protections can be bypassed.
Stokes’s advice to both organizations with macOS devices in their fleet and individual Mac users is to supplement Apple’s existing security technologies with reputable third-party endpoint security software.