Introduction
The BlueNoroff group [6], a sub-entity of the Lazarus Advanced Persistent Threat (APT) linked to the Democratic People’s Republic of Korea (DPRK), has launched a sophisticated malware campaign named Hidden Risk. This campaign targets businesses in the cryptocurrency sector, employing advanced techniques to compromise macOS systems through phishing emails.
Description
A threat actor linked to the Democratic People’s Republic of Korea (DPRK) [4], identified as BlueNoroff [1] [4] [6], a sub-group of the Lazarus APT [7], has initiated a multi-stage malware campaign known as Hidden Risk [5], targeting cryptocurrency-related businesses [1] [2] [3] [4] [6]. This campaign, which commenced operations in July 2024, is capable of compromising macOS systems and employs sophisticated email lures featuring fake news on cryptocurrency trends [5]. The tactics have shifted from extensive social media grooming to a more traditional email phishing approach, specifically aimed at individuals within the decentralized finance (DeFi) and cryptocurrency sectors [5]. This change likely reflects a response to increased awareness among potential targets [7]. The phishing emails often contain manipulated articles and enticing headlines about cryptocurrency, encouraging recipients to click on links that download a malicious application disguised as a PDF document [2].
The initial attack vector involved a dropper application named “Hidden Risk Behind New Surge of Bitcoin Price.app,” which is relatively small at 698KB, written in Swift [1] [4], and was signed and notarized by Apple on October 19, 2024 [4], under the developer ID “Avantis Regtech Private Limited.” However [4], the notarization has since been revoked, highlighting the group’s history of hijacking legitimate Apple developer accounts to bypass macOS’s built-in security measures, including Gatekeeper [2].
Upon execution [3] [4], the dropper application downloads a decoy PDF file from a Google Drive link and opens it using the default macOS PDF viewer while secretly downloading a second-stage executable, referred to as ‘growth.’ This Mach-O x86-64 binary is designed to run on both Intel Macs and Apple silicon devices with Rosetta, and it is compatible with macOS 12 Monterey or later, having been built on a macOS 14.2 Sonoma machine [3]. The executable functions as a backdoor, allowing remote command execution and employing a novel persistence mechanism that exploits the .zshenv configuration file [4]. This technique ensures that the malware is sourced for all Zsh sessions, effectively evading detection by bypassing user notifications for new persistence items [1], marking a first in the wild for such an approach.
BlueNoroff has established infrastructure using various hosting providers, including domain registrar Namecheap [4], focusing on themes related to cryptocurrency and investments to appear legitimate [4]. The Hidden Risk campaign shows similarities to previous operations [4], including the RustBucket malware [6], which was reported in April 2023 and involved a backdoor capable of downloading additional malware. Subsequent variants of this malware were discovered in May and July 2023 [6], with the latter including a LaunchAgent for persistence [6]. Additionally, in November 2023 [6], another campaign targeting blockchain engineers was reported [6], involving KandyKorn malware [6], which was later connected to the RustBucket campaigns [6].
North Korean cyber actors have demonstrated adaptability, and the shift in tactics observed in the Hidden Risk campaign may reflect their response to public reporting on their activities. Over the past year [4] [6], these actors have targeted the cryptocurrency industry through extensive social media grooming [4], but the Hidden Risk campaign adopts a more traditional email phishing approach [4] [6]. This campaign is part of a broader strategy by North Korean hackers [4], including the Wagemole and Contagious Interview campaigns [4], which focus on stealing data and targeting freelance developers for cryptocurrency theft [4]. In September 2024 [6], the FBI issued warnings about North Korea’s tailored social engineering campaigns against decentralized finance and cryptocurrency businesses [6], underscoring the ongoing threat posed by these actors. To enhance security [7], organizations and individual users with macOS devices are advised to use reputable third-party endpoint security software alongside Apple’s existing protections [7], as comprehensive training and increased vigilance are essential to address the rising threat of social engineering.
Conclusion
The Hidden Risk campaign underscores the evolving threat landscape posed by North Korean cyber actors, particularly in the cryptocurrency sector. The shift from social media grooming to email phishing highlights their adaptability in response to increased awareness among targets. Organizations and individuals must remain vigilant, employing robust security measures and training to mitigate these threats. The ongoing efforts by North Korean hackers to exploit vulnerabilities in the cryptocurrency industry necessitate continuous monitoring and adaptation of security strategies to safeguard against future attacks.
References
[1] https://securityaffairs.com/170659/malware/bluenoroff-apt-macos-malware.html
[2] https://me.pcmag.com/en/security/26793/new-macos-malware-linked-to-north-korean-hackers
[3] https://www.mactech.com/2024/11/07/security-researchers-have-discovered-new-macos-malware-from-a-north-korean-hacking-group/
[4] https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html
[5] https://jamesazar.substack.com/p/the-war-on-chinese-owned-businesses
[6] https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/
[7] https://www.helpnetsecurity.com/2024/11/07/north-korean-crypto-related-phishing/