North Korean Hackers Target Apple Devices with New Malware

According to Cointelegraph, North Korean hackers have developed new malware strains targeting Apple devices as part of a cyberattack campaign against cryptocurrency companies. A report by cybersecurity firm Sentinel Labs reveals that the attackers impersonate trusted contacts on messaging apps like Telegram. They then request a fake Zoom meeting via a Google Meet link, sending what appears to be a Zoom update file to the victim. Once executed, this file installs malware known as 'NimDoor' on Mac computers, which targets crypto wallets and browser passwords. The attack method, while common, is notable for its use of the Nim programming language, which is less familiar and harder for security software to detect. Researchers noted that although the initial stages of the attack follow a familiar pattern involving social engineering and fake updates, the use of Nim-compiled binaries on macOS is unusual. Nim's ability to run on Windows, Mac, and Linux without changes makes it attractive to cybercriminals, allowing them to write malware that functions across multiple platforms. The language compiles quickly, creates standalone executable files, and is difficult to detect, offering significant advantages over previously used languages like Go and Rust. The malware payload includes a credential-stealer designed to extract browser and system-level information silently. It also contains a script to steal Telegram's encrypted local database and decryption keys, employing smart timing by waiting ten minutes before activation to avoid detection. Cybersecurity solutions provider Huntress reported similar malware incursions linked to the North Korean state-sponsored hacking group 'BlueNoroff.' The malware can bypass Apple's memory protections to inject the payload, performing keylogging, screen recording, and clipboard retrieval. It also features a 'full-featured infostealer' called CryptoBot, focusing on cryptocurrency theft by penetrating browser extensions to access wallet plugins. This week, blockchain security firm SlowMist warned users about a 'massive malicious campaign' involving fake Firefox extensions designed to steal cryptocurrency wallet credentials. Sentinel Labs researchers concluded that macOS has become a larger target for threat actors, especially sophisticated, state-sponsored attackers, debunking the myth that Macs are immune to viruses. The increasing focus on macOS by threat actors highlights the need for heightened security measures to protect against such sophisticated cyber threats.