Multi-stage malware means sophisticated cyberattack strategies that evolve in several steps. Recent developments in multi-stage malware highlight the increasing sophistication of cyber threats.
SentinelOne researchers recently discovered that threat actors have been attacking macOS users with new multi-stage malware.
macOS Users With Multi-stage Malware
Throughout 2023-2024, North Korean-affiliated threat actors have conducted their malicious activities against cryptocurrency businesses by deploying various malware like ‘RustBucket’ (a Rust-based backdoor malware for macOS) and ‘KandyKorn’ (intended for use against blockchain engineers).
Their most recent campaign is ‘Hidden Risk’ which was discovered in October 2024. In this campaign, attackers use a specific method where fraudulent emails are sent with hyperlinks to PDF documents associated with everything related to Bitcoin ETF at ‘high risk’ and ‘DeFi’.
Once the victims of the attack click the links, a two-stage infection process is initiated. It begins with a Swift-based dropper app (bundle identifier: Education.LessonOne) that is signed and notarized. The app downloads a PDF file that serves as a lure, while at the same time, the app retrieves a malicious x86-64 binary dubbed ‘growth’ hosted on matuaner[.]com.
Challenges that MDR can help you resolve -> Get a Free Guide
This 5.1MB C++ backdoor infects a host by installing the backdoor through the zshenv configuration file and establishes a C2 connection by sending HTTP POST requests using user agent “mozilla/4.0 (compatible, msie 8.0, windows nt 5.1, trident/4.0).”
The infected system is scanned for various details (Execute commands sw_vers ProductVersion and sysctl hw.model), issues a unique identifier (UUID), and through the SaveAndExec function can invoke commands externally that it saves in defunct folders, /Users/Shared/.XXXXXX, with all exploitable 0x777 file access.
SentinelOne report states that this enables threat actors to control infected systems completely while maintaining stealth through sophisticated persistence mechanisms.
The threat actor is now using higher forms of attack methodology with the incorporation of Zshenv configuration files on Mac OS systems. This is a form of evolution with regard to the attacker’s persistence mechanism.
This method employs two main approaches:-
- The user-level configuration file is situated in the Home directory at ~/.zshenv.
- The global configuration is found in the directory /etc/zshenv.
In the case of the malware, they shifted from the use of ~/.zshrc files to embedding the malware within the files Zshenv.
It should be emphasized the core identity of Zshenv which helps explain the motive of the attacks, Zshenv is trapped which is not strategical for single usage on the session only, it’s available on every user-greeting session and executed on every shell designed for zsh, due to which it becomes easy to use for persistence mechanisms on the viruses and worms.
The process begins when the malware’s sym.install_char__char_ function checks for a hidden touch file (specifically a zero-byte file) named .zsh_init_success in the /tmp/ directory.
In the absence of this file, the next procedure is to run the growth binary of the malware and create the touch file for successful installation.
What makes this technique uniquely dangerous is the fact that it is able to bypass the security features of macOS 13 Ventura, particularly the user notifications system designed to alert users about background Login Items.
While traditional persistence mechanisms such as LaunchAgents and LaunchDaemons may issue security warnings when activated, Vectored Zshenv abuse operates silently under the radar of macOS’s built-in security controls, providing a reliable and quiet means of persistence on the infected machine.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!