A notorious North Korean affiliated threat actor is targeting crypto firms using multi-stage malware and a novel persistence mechanism, SentinelLabs has reported.
The campaign, dubbed ‘Hidden Risk’, is assessed with high confidence to be perpetrated by the BlueNoroff advanced persistent threat (APT) group, known for financially-motivated attacks. It is designed to target macOS devices.
The campaign starts with a phishing email, with two types of malware dropped following initial infection. The researchers highlighted a novel persistence mechanism in a backdoor which abuses the Zshenv configuration file.
Another notable aspect is the consistent demonstration of attackers’ ability to acquire or hijack valid Apple ‘identified developer’ accounts at will, helping them bypass macOS Gatekeeper and other built-in Apple security technologies.
SentinelLabs said the new campaign, which it observed in October 2024 but likely began as early as July 2024, diverts from other North Korean attacks against crypto-related industries over the past 12 months, many of which involved extensive ‘grooming’ of targets via social media.
“We observe that the Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous Democratic Republic of North Korea (DPRK)-backed campaigns are evident, both in terms of observed malware artifacts and associated network infrastructure,” the researchers wrote.
This campaign, along with the general increase in macOS crimeware, means all macOS users should harden their security and increase their awareness of potential risks, SentinelLabs said.
The analysis follows a warning by the FBI that cyber actors in North Korea are using sophisticated social engineering campaigns against cryptocurrency operations.
Multi-Stage Malware Campaign
The phishing email that starts the attack contains a link to a malicious application to achieve initial infection.
The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price.” The emails purport to come from a real person in an unrelated industry, claiming to forward a message from a well-known crypto social media influencer.
The phishing email is considered relatively unsophisticated, as it does not contain any personalized information related to the recipient.
The ‘open’ link in the phishing email hides a URL to another domain, delphidigital[.]org. This URL switches to serving the first stage of a malicious application bundle entitled ‘Hidden Risk Behind New Surge of Bitcoin Price.app’.
This is a Mac application written in Swift displaying the same name as the expected PDF. The application bundle was signed and notarized on 19 October, 2024, with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948)”. The signature has since been revoked by Apple.
On launch, the application downloads the decoy “Hidden Risk” pdf file from a Google Drive share and opens it using the default macOS PDF viewer.
After being written into the moved to /Users/Shared file, the dropper malware downloads and executes a malicious x86-64 binary.
This malicious binary downloaded by the first stage dropper leads the second malware stage, which can only run on Intel architecture Macs or Apple silicon devices with the Rosetta emulation framework installed.
The executable contains a number of identifiable functions, with the overall objective being to act as a backdoor to execute remote commands.
The SaveAndExec function in the backdoor is responsible for executing any commands received from the command and control (C2) infrastructure. This function creates a random file name of length 6 and changes the file’s permissions and then executes it.
Novel Persistence Technique
The researchers said the backdoor is particularly interesting due to the persistence mechanism used, which abuses the Zshenv configuration file.
Zshenv is one of several optional configuration files used by the Zsh shell.
Infecting the host with a malicious Zshenv file allows for a powerful form of persistence as the file is sourced for all Zsh sessions, including interactive and non-interactive shells, non-login shells and scripts, the researchers noted.
“While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors,” the researchers said.
They added that it has value on modern versions of macOS since Apple introduced user notifications to warn users when a persistence method is installed. Abusing Zshenv does not trigger such a notification in current versions of macOS.
The campaign has been attributed to BlueNoroff following analysis of the actor operated and controlled network infrastructure.