North Korean hacker group BlueNoroff uses new “Hidden Risk” malware to target cryptocurrency businesses via phishing emails.
Phishing Campaign with New macOS Malware
North Korean hacking group BlueNoroff has escalated its cyber-attacks against cryptocurrency businesses using a new strain of macOS malware. The malware campaign, named “Hidden Risk,” primarily targets crypto firms by luring victims with fake news about the cryptocurrency sector’s latest developments. Researchers have found that the malware exploits macOS systems with a novel persistence mechanism that avoids detection by recent macOS security updates.
The Role of Phishing Emails in Attacks
The attack campaign begins with phishing emails designed to appear credible. These emails often mimic messages from cryptocurrency influencers and offer fake news about the latest developments in the crypto world. The emails contain a link to what appears to be a legitimate PDF document, which actually redirects victims to a malicious website controlled by BlueNoroff. This website either serves benign content or, more dangerously, the first stage of the malware application bundle.
Hidden Risk: A Multi-Stage Malware Campaign
The malware campaign, Hidden Risk, tricks users with a legitimate-looking academic paper from the University of Texas, which is used as a decoy. The first stage of the attack is a dropper application signed with a valid Apple Developer ID. Although this app is initially harmless, once opened, it downloads a second-stage payload in the background. The downloaded application then connects to an attacker-controlled domain and proceeds to install malware on the infected system.
Main Payload: The New Backdoor
The second stage of the malware, dubbed “growth,” is an x86_64 Mach-O binary that operates on both Intel and Apple Silicon devices. This payload achieves persistence on infected devices by modifying a hidden configuration file in the user’s home directory. This file, “.zshenv,” allows the malware to reload every time the user starts a new Zsh session, ensuring the malware remains active even after system reboots.
Bypassing macOS Security Features
One of the most concerning aspects of this attack is its ability to bypass macOS’s built-in security features. Apple’s App Transport Security (ATS) policies are overridden by manipulating the application’s Info.plist file, allowing insecure HTTP connections to the attacker’s domain. The malware also creates a “touch file” in the /tmp/ directory to mark a successful infection, which remains active across reboots.
Persistence Mechanism Remains Undetected
BlueNoroff has managed to sidestep macOS 13’s persistence detection systems, which normally notify users when malicious LaunchAgents are installed. The hidden “.zshenv” file used by the malware represents a powerful persistence technique that is now successfully utilized by the attackers to maintain control over infected systems without detection.
Continued Threat and New Tactics
The Hidden Risk campaign has been running for over a year, and its persistence shows the group’s evolving capabilities. Unlike previous campaigns, which involved grooming on social media, this attack relies more heavily on direct phishing strategies. Researchers also highlight that BlueNoroff has been effective in acquiring new Apple Developer accounts, ensuring that their malicious payloads can bypass macOS Gatekeeper security measures, which are designed to prevent unverified software from running on Apple systems.
BlueNoroff’s Growing Capabilities
SentinelLabs researchers note that the BlueNoroff group has a long history of targeting cryptocurrency firms. This group’s ability to adapt and refine their malware delivery tactics has allowed them to continue exploiting vulnerabilities in macOS. BlueNoroff’s focus on cryptocurrency theft underscores the increasing risk to crypto companies, especially those using macOS systems.
A Call for Better Cyber Defenses
As BlueNoroff’s tactics continue to evolve, cryptocurrency firms and macOS users must strengthen their defenses. Regular security audits, awareness of phishing schemes, and up-to-date malware protection systems are essential for counteracting threats like the Hidden Risk malware. While Apple’s security measures are advanced, these attacks show that hackers can still find ways to bypass them.
Disclaimer:
The information provided on 13Desk is for informational purposes only and should not be considered financial advice. We strongly recommend conducting your own research and consulting with a qualified financial advisor before making any investment decisions. Investing in cryptocurrencies carries risks, and you should only invest what you can afford to lose. 13Desk is not responsible for any financial losses incurred from your investment activities.
