A notorious North Korean affiliated threat actor focuses on crypto companies using multi-phase malware and a new persistence mechanism, has reported Sentinellabs.
The campaign, called ‘Hidden Risk’, is assessed with high confidence to be committed by the Bluenoroff Advanced Persistent Threat (APT) group, known for financially motivated attacks. It is designed to aim macOS devices.
The campaign starts with a phishing -e -mail, with two types of malware dropped after the first infection. The researchers emphasized a new persistence mechanism in a back door that abuses the ZshenV configuration file.
Another remarkable aspect is the consistent demonstration of the assets of attackers to acquire or hijack valid Apple accounts at the willing, “helps them to circumvent macOS gatekeeper and other built-in Apple Security Technologies.
Sentinellabs said that the new campaign, which started it in October 2024, but probably already started in July 2024, distracts from other North Korean attacks on crypto-related industries in the past 12 months, many of which were involved in the social media’s care.
“We see that the hidden risk campaign distracts from this strategy that takes a more traditional and rougher, although not necessarily a less effective, e-mail phishing approach. Despite the bone of the initial infection method, other characteristics of the previous Democratic Republic of North Korea (Both of observed and biased, written in Term-of-Campaigne and Bijbewores Network infrastructure, “the researchers.
This campaign, together with the general increase in the macOS crimeware, means that all macOS users must harden their safety and increase their consciousness of potential risks, Sentinellabs said.
The analysis follows a warning from the FBI that cyber factors in North Korea use advanced social engineering campaigns against cryptocurrency operations.
Multi-phase malware campaign
The phishing -e -mail that starts the attack contains a link to a malignant application to reach the first infection.
The application is disguised as a link to a PDF document with regard to a cryptocurrency topic, such as “Hidden risk behind a new rise in Bitcoin price.” The e-mails claim to come from a real person in a non-related industry and claims to send a message from a well-known crypto influencer of social media.
The phishing -e -mail is considered relatively not -advanced, because it does not contain personalized information related to the recipient.
The ‘Open’ link in the phishing -e -Mail hides a URL to another domain, Delphidigital[.]Org. This URL switches to serving the first phase of a malignant application bundle entitled ‘Hidden Risk behind new rise in Bitcoin Price.App’.
This is a Mac application written in Swift with the same name as the expected PDF. The application bundle was signed and notary on October 19, 2024, with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948)”. The signature has since been withdrawn by Apple.
During the launch, the application downloads the PDF file “Hidden Risk” “Hidden Risk” from a Google Drive Share and opens it with the standard MacOS PDF viewer.
After he is written in moving to /user /shared file, the Dropper malware downloads a malicious X86-64 binary.
This malignant binary downloaded by the first phase -Dropper leads the second malwaretadium, which can only be performed on Intel Architecture Macs or Apple Silicon devices with the Rosetta Emulation Framework installed.
The executable file contains a number of identifiable functions, where the general goal is to act as a back door to carry out external assignments.
The Savandexec function in the back door is responsible for carrying out all the assignments received from the assignment and control (C2) infrastructure. This function makes a random file name of length 6 and changes the permissions of the file and then performs it.
New persistence technique
The researchers said that the back door is particularly interesting because of the persistence mechanism used, that the ZshenV configuration file is abused.
ZshenV is one of the various optional configuration files used by the ZSH -Shell.
By infecting the host with a malicious ZshenV file ensures a powerful form of persistence, since the file is purchased for all ZSH sessions, including interactive and non-interactive shells, non-login shells and scripts, the researchers noticed.
“Although this technique is not unknown, it is the first time we used it in the wild by authors of malware,” the researchers said.
They added that it has value on modern versions of macOS, because Apple introduced user reports to warn users when a persistence method is installed. The abuse of ZshenV does not lead to such a report in current versions of macOS.
The campaign is attributed to Bluenoroff after analysis of the actor -exploited and controlled network infrastructure.