North Korean Hackers Target Crypto With Mac Malware ‘NimDoor’

Byadmin


North Korean hackers are using new strains of malware aimed at Apple devices as part of a cyberattack campaign targeting crypto companies.

According to a report from cybersecurity firm Sentinel Labs on Wednesday, the attackers impersonate someone trusted on messaging apps like Telegram, then request a fake Zoom meeting via a Google Meet link before sending what appears to be a Zoom update file to the victim.

Nimdoor targets Mac computers

Once the “update” is executed, the payload installs malware called “NimDoor” on Mac computers, which then targets crypto wallets and browser passwords. 

Previously, it was widely believed that Mac computers were less susceptible to hacks and exploits, but this is no longer the case. 

While the attack vector is relatively common, the malware is written in an unusual programming language called Nim, making it harder for security software to detect. 

“Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice,” said the researchers. 

Fake Zoom update link. Source: Sentinel Labs

Nim is a relatively new and uncommon programming language that is becoming popular with cybercriminals because it can run on Windows, Mac, and Linux without changes, meaning hackers can write one piece of malware that works everywhere. 

Nim also compiles fast to code, creates standalone executable files, and is very hard to detect. 

Related: Crypto founders report deluge of North Korean fake Zoom hacking attempts

North Korean-aligned threat actors have previously experimented with Go and Rust programming languages, but Nim offers significant advantages, the Sentinel researchers said. 

Infostealer payload 

The payload contains a credential-stealer “designed to silently extract browser and system-level information, package it, and exfiltrate it,” they said. 

There is also a script that steals Telegram’s encrypted local database and the decryption keys. 

It also uses smart timing by waiting ten minutes before activating to avoid detection by security scanners. 

Macs get viruses, too

Cybersecurity solutions provider Huntress reported in June that similar malware incursions were linked to the North Korean state-sponsored hacking group “BlueNoroff.”

Researchers stated that the malware was interesting because it was able to bypass Apple’s memory protections to inject the payload. 

The malware is used for keylogging, screen recording, clipboard retrieval and also has a “full-featured infostealer” called CryptoBot, which has a “focus on cryptocurrency theft.” The infostealer penetrates browser extensions, seeking out wallet plugins. 

This week, blockchain security firm SlowMist alerted users to a “massive malicious campaign” involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials.

“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” Sentinel Labs researchers concluded, debunking the myth that Macs don’t get viruses. 

Magazine: Bitcoin ‘bull pennant’ eyes $165K, Pomp scoops up $386M BTC: Hodler’s Digest