Threat actors from North Korea, likely associated with BlueNoroff, have initiated multi-stage malware assaults directed at cryptocurrency enterprises, expanding the array of tools utilized to also encompass RustDoor/ThiefBucket and RustBucket campaigns.
A threat actor linked to DPRK, known as Hidden Risk, introduced a fresh persistence method that involves manipulation of Zsh configuration files.
To compromise businesses related to cryptocurrencies, malicious PDF attachments camouflaged as news about cryptocurrencies were employed as a means to deliver the malicious payload.
Employing social engineering, phishing emails disguised as PDF documents associated with cryptocurrencies attract victims into downloading harmful applications, frequently attributed to legitimate figures and influencers, and sometimes employing genuine research papers to enhance credibility and evade security measures.
An unsophisticated phishing email lacking personalized information is utilized, unlike past tactics of BlueNoroff in which the sender domain, kalpadvisory[.]com, was tied to spam activities within communities related to the Indian stock market.
A phishing email containing what seems to be an innocuous link (Bitcoin ETF document) on delphidigital[.]org is capable of dynamically switching to deliver the macOS malware known as “Hidden Risk.”
The malicious Swift application named “Hidden Risk Behind New Surge of Bitcoin Price.app” masquerades as a PDF file, housing a universal Mach-O executable and signed using a revoked Apple Developer ID.
The macOS malware utilizes a decoy PDF for initial infiltration, followed by the download and execution of a malicious x86-64 binary from a preset URL, effectively bypassing macOS’s standard HTTP security restrictions through a modified Info.plist file.
The x86-64 Mach-O backdoor, ‘growth,’ targets both Intel Macs and Apple silicon devices with Rosetta, presenting a 5.1 MB unsigned C++ executable designed to carry out remote commands through various backdoor functionalities.
The ‘growth’ binary implants a persistence mechanism by utilizing the sym.install_char__char_ function, further gathering system details such as OS version, hardware model, boot time, current date, running processes, and generating a unique 16-character UUID.
It retrieves host data, transmits it to a C2 server, receives directives, executes them, and iterates the process using HTTP POST requests and file operations for C2 and system interactions.
The User-Agent “mozilla/4.0” and identifier “cur1-agent,” previously associated with RustBucket malware and resembling C2 response parsing and ProcessRequest functions, indicate potential links to previous security threats.
Through the SaveAndExec function, the threat actor processes malicious payloads retrieved from a C2 server, extracting a command from the payload, creating a concealed file in the shared user directory using a random name, assigning full access permissions, and executing the command via popen.
The threat actor manipulates the Zshenv configuration file to ensure persistent backdoor accessibility, circumventing macOS user notifications.
While not entirely new, this marks the first observed utilization by malware developers, offering a discreet and efficient persistence technique.
The BlueNoroff threat actor, connected to the Hidden Risk campaign, makes use of NameCheap and assorted hosting services to construct a network of infrastructure themed around cryptocurrency and investment entities.
Sentinel Labs identified a broader range of activities by examining infrastructure relationships, DNS records, and extensive domain searches, inclusive of potential upcoming targets and falsification endeavors.
The post Hackers Attacking macOS Users with New Multi-Stage Malware appeared first on Cyber Security News.