Threat actors associated with North Korea have begun embedding malware within applications developed using Flutter, marking a new approach to infect Apple macOS devices. This discovery was made by Jamf Threat Labs, which found artifacts on the VirusTotal platform that suggest these applications are part of a larger series of malicious activities involving malware written in languages like Golang and Python.
While the distribution methods for these samples remain unclear, North Korean hackers have a history of utilizing social engineering tactics, particularly targeting employees in the cryptocurrency and decentralized finance sectors. Jaron Bradley, a director at Jamf Threat Labs, suspects the recent samples are still in the testing phase and may not have reached victims yet; however, he noted the attackers’ historical success with social engineering strategies.
Although Jamf hasn’t directly attributed this activity to a specific North Korean hacking group, there are indications that it could be linked to a Lazarus subgroup known as BlueNoroff, due to shared infrastructure with other malware like KANDYKORN and the Hidden Risk campaign.
The notable aspect of this newly discovered malware is its integration with Flutter, a cross-platform application framework. The primary payload, written in Dart, masquerades as a functioning Minesweeper game titled "New Updates in Crypto Exchange (2024-08-28)." This game was identified as a clone of a publicly available Flutter game on GitHub.
Additionally, the apps have been signed and notarized using legitimate Apple developer IDs, a tactic that suggests the threat actors are capable of circumventing Apple’s notarization processes. These signatures, however, have since been revoked by Apple.
Once executed, the malware connects to a remote server, thereby allowing it to run AppleScript code that is written backward in the requests sent to it. Besides the Dart-based malware, variants in Go and Python have also been located, indicating a diverse and evolving arsenals of malware which can execute AppleScript payloads received in server responses.
This development highlights the ongoing evolution and growing sophistication of malicious activities perpetrated by North Korean actors, especially in their attempts to infiltrate the cryptocurrency space.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.