A new form of macOS malware is being used by devious North Korean hackers
Date:
Fri, 08 Nov 2024 17:10:00 +0000
Description:
North Korean hackers are targeting crypto businesses with backdoors again.
FULL STORY ======================================================================BlueNoro ff seen targeting crypto businesses with new piece of malware The malware establishes persistence and opens up a back door It can download additional payloads, run Shell commands, and more
Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.
Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.
Usually, the group would groom their victims on social media, before
deploying any malware. In this campaign, however, theyve decided for a more direct approach. Hidden Risk
As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.
The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called Hidden
Risk Behind New Surge of Bitcoin Price.app.
The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named Hidden Risk.
The malware comes in multiple stages. The first stage is a dropper app,
signed with a valid Apple Developer ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim busy while the second-stage payload is deployed in the background.
This payload is called growth, and its goal is to establish persistence and open up a back door to the infected device. It only works on macOS devices, running on Intel or Apple silicon, with the Rosetta emulation framework. The final stage is to check in with the C2 server for new commands every minute, which include downloading and running additional payloads, running shell commands, or terminating the process.
The campaign has been active for at least a year, the researchers said.
Via BleepingComputer You might also like North Korean hackers are targeting Apple users with new macOS malware Here's a list of the best firewalls today These are the best endpoint protection tools right now
======================================================================
Link to news story:
https://www.techradar.com/pro/security/a-new-form-of-macos-malware-is-being-us ed-by-devious-north-korean-hackers
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)