A notorious threat actor with ties to North Korea is targeting cryptocurrency firms using a sophisticated multi-stage malware campaign, according to a recent report by SentinelLabs.
The campaign, known as ‘Hidden Risk’, is believed to be the work of the BlueNoroff advanced persistent threat (APT) group, which is notorious for financially motivated attacks. This particular campaign is aimed at macOS devices.
The attack begins with a phishing email, through which two types of malware are deployed upon initial infection. One notable aspect of this campaign is the use of a novel persistence mechanism in a backdoor malware that exploits the Zshenv configuration file.
Furthermore, the attackers have demonstrated their ability to hijack valid Apple ‘identified developer’ accounts at will, enabling them to bypass macOS Gatekeeper and other built-in Apple security measures.
Unlike previous North Korean attacks on crypto-related industries, which involved extensive social media targeting, the Hidden Risk campaign relies on a more traditional email phishing approach. Despite the simplicity of the initial infection method, the campaign still bears the hallmarks of previous DPRK-backed attacks in terms of malware artifacts and network infrastructure.
In light of this new campaign and the overall increase in macOS crimeware, SentinelLabs advises all macOS users to strengthen their security measures and be vigilant against potential risks.
The FBI has also issued a warning about cyber actors in North Korea using sophisticated social engineering tactics against cryptocurrency operations.
Multi-Stage Malware Campaign
The attack begins with a phishing email containing a link to a malicious application that initiates the infection process. The application is disguised as a link to a PDF document related to cryptocurrency topics, such as the “Hidden Risk Behind New Surge of Bitcoin Price.”
The phishing email appears to come from a real person in an unrelated industry, forwarding a message from a well-known crypto influencer. However, the email lacks personalized information related to the recipient.
Upon clicking the link in the email, the user is directed to a malicious domain, delphidigital[.]org, which serves the first stage of the malware application titled ‘Hidden Risk Behind New Surge of Bitcoin Price.app.’
This application is a Mac application written in Swift and signed with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” The application downloads a decoy PDF file and executes a malicious binary that leads to the second stage of the malware.
The second stage malware acts as a backdoor, allowing remote command execution on the infected device.
Novel Persistence Technique
The backdoor malware used in this campaign employs a unique persistence mechanism by abusing the Zshenv configuration file, which is utilized by the Zsh shell on macOS.
By infecting the host with a malicious Zshenv file, the attackers ensure persistent access to the system across all Zsh sessions, including interactive and non-interactive shells, non-login shells, and scripts.
This technique is particularly effective on modern versions of macOS, as it bypasses user notifications that typically warn users of persistence methods being installed.
The campaign has been attributed to the BlueNoroff group based on analysis of the network infrastructure controlled and operated by the threat actor.
In conclusion, the Hidden Risk campaign underscores the importance of robust security measures for macOS users, as cyber threats continue to evolve and target cryptocurrency firms. Stay vigilant and implement necessary safeguards to protect against such sophisticated attacks.