North Korean Hackers Target Crypto Projects with Unusual Mac Exploit

North Korean hackers are using new strains of malware aimed at Apple devices as part of a cyberattack campaign targeting crypto companies. A recent report from cybersecurity firm Sentinel Labs has revealed that the attackers are employing an unusual programming language called Nim to bypass Apple's memory protections and deploy an infostealer payload targeting crypto wallets.

The malware, known as "NimDoor," is designed to infiltrate Mac computers by impersonating a trusted individual on messaging apps like Telegram. Once the victim receives the message, they are tricked into installing a fake Zoom update file via a Google Meet link. Upon execution, the payload installs NimDoor on the compromised Mac, which then targets crypto wallets and browser passwords.

While it may come as a surprise to some that Mac computers are no longer immune to hacks and exploits, this latest development highlights the evolving nature of cyber threats. The use of Nim-compiled binaries on macOS is particularly noteworthy, as it makes the malware more difficult for security software to detect. "Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts, and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice," said the researchers.

Nim is a relatively new and uncommon programming language that has gained popularity among cybercriminals due to its versatility. It can run on Windows, Mac, and Linux without modifications, allowing hackers to write one piece of malware that works across multiple platforms. Nim also compiles quickly to code, creates standalone executable files, and is notoriously hard to detect.

The payload contains a credential-stealer designed to silently extract browser and system-level information, package it, and exfiltrate it. It also includes a script that steals Telegram's encrypted local database and the decryption keys. Furthermore, the malware uses smart timing by waiting ten minutes before activating to avoid detection by security scanners.

Researchers have linked similar malware incursions to the North Korean state-sponsored hacking group "BlueNoroff." The malware is notable for its ability to bypass Apple's memory protections to inject the payload. It also has a "full-featured infostealer" called CryptoBot, which focuses on cryptocurrency theft. The infostealer penetrates browser extensions, seeking out wallet plugins.

Recently, blockchain security firm SlowMist alerted users to a "massive malicious campaign" involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. This latest development highlights the growing threat landscape for crypto companies and the importance of vigilance in detecting and mitigating such attacks.

"Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers," Sentinel Labs researchers concluded, debunking the myth that Macs don't get viruses. As the cyber threat landscape continues to evolve, it is essential for crypto companies and users alike to stay informed and take necessary precautions to protect themselves from such attacks.