New macOS Malware Targets Crypto and Web3 Startups with Fake Zoom Update
A new and sophisticated macOS malware campaign has been discovered by researchers at SentinelLabs, targeting cryptocurrency and Web3 startups using fake Zoom invites. Dubbed "NimDoor," this attack is more complex than typical macOS threats, employing a combination of AppleScript, Bash, C++, and Nim to exfiltrate data and maintain access in compromised systems.
The SentinelLabs report provides a detailed breakdown of how the hack works. Here's a simplified summary: through social engineering, victims are approached via Telegram by someone impersonating a trusted contact. They're asked to schedule a call through Calendly, then sent an email containing a fake Zoom link and instructions to run a bogus "Zoom SDK update." The file is heavily padded with 10,000 lines of whitespace to obfuscate its true function.
When executed, the malware triggers an intricate series of events that establish an encrypted connection with a command-and-control server. It also includes backup logic that reinstalls key components if the system is rebooted or the malware process is terminated. Once all the hack's binaries and persistence mechanisms are in place, the malware uses Bash scripts to scrape and exfiltrate credentials and sensitive data.
This includes Keychain credentials, browser data, and Telegram data. The full technical deep dive into how NimDoor works is well worth a look for those interested in the nitty-gritty details of macOS security threats.
Technical Details
The SentinelLabs report provides a detailed breakdown of each stage of the hack, from the fake Zoom update to the final data exfiltration. The researchers also note that NimDoor reflects a broader shift toward more complex and less familiar cross-platform languages in macOS malware, moving beyond the Go, Python, and shell scripts that North Korean threat actors have typically used in the past.
The report includes full hash listings, code snippets, screenshots, and attack flow diagrams, providing a comprehensive understanding of how NimDoor operates. This level of detail is particularly valuable for security professionals and researchers looking to stay ahead of emerging threats.
Implications
The discovery of NimDoor highlights the evolving nature of macOS malware attacks and the growing sophistication of North Korean threat actors. As cryptocurrency and Web3 startups become increasingly important targets, it's essential for these industries to remain vigilant and take proactive steps to protect themselves against such threats.
Does this sort of hack scare you? Do you think these hacks get blown out of proportion? Let us know in the comments below!
About the Author
Marcus Mendes is a Brazilian tech podcaster and journalist who has been closely following Apple since the mid-2000s. He began covering Apple news in Brazilian media in 2012 and later broadened his focus to the wider tech industry, hosting a daily podcast for seven years.