North Korean Hackers Target Crypto Firms With Mac Malware

Researchers have discovered a North Korean threat actor targeting cryptocurrency-related businesses with emails that include fake news headlines or stories about crypto and infect victims with novel Mac malware.

Key Details: 

• In October, researchers with SentinelLabs first observed a phishing attempt on a cryptocurrency-related industry that alerted them to the campaign

• Researchers believe the campaign, which they call “Hidden Risk,” first started as early as July

• The campaign uses a new persistence mechanism by abusing zshenv, one of several configuration files that are used by the Zsh shell

• The emails sent to victims include fake news about crypto trends, and victims are infected through malicious applications masked as PDF files with titles like: “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” or “New Era for Stablecoins and DeFi, CeFi”

The Big Picture: Over the last year, North Korean-linked threat actors have continually been drawn to targeting cryptocurrency orgs with social engineering-heavy campaigns that siphon funds or insert backdoors in targets. In September, the FBI warned that it had been tracking targeted and difficult-to-detect social engineering campaigns by North Korean actors against employees at cryptocurrency and decentralized finance organizations in order to spread malware and steal cryptocurrency. The initial access tactics used in the Hidden Risk campaign are a bit different, said SentinelLabs researchers this week.

“We observe that the Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach,” said researchers. Still, “despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident, both in terms of observed malware artifacts and associated network infrastructure,” they said.

Another noteworthy aspect of this campaign is the abuse of the zshenv configuration file. This form of persistence is particularly effective with modern macOS versions. With macOS 13 Ventura, Apple’s user notification feature for background login items warns users if persistence tactics are being utilized (via LaunchAgents, for instance), but the abuse of zschenv does not trigger the notification feature, researchers said.

“Infecting the host with a malicious Zshenv file allows for a more powerful form of persistence,” researchers said. “While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors.”

Who is Behind the Hidden Risk Campaign? Researchers have tracked several previous campaigns linked back to one North Korean group in particular, called the BlueNoroff APT. In April 2023, the APT was linked to an attack against macOS users that utilized a Rust backdoor that could download further malware on targeted devices, which researchers with Jamf called “RustBucket.” SentinelLabs researchers this week said that the recent Hidden Risk attack resembles many of the hallmarks of these previous campaigns.

“We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns,” said researchers.