North Korean Crypto Attacks: Hackers Using Risk Malware
In the online threat landscape, hackers with ties to the Democratic People’s Republic of Korea (DPRK) were observed targeting crypto firms. Reports claim that these North Korean crypto attacks use multi-stage malware that can infect macOS devices. In this article, we’ll dive into the details of the attack and cover how devices are initially infected as well as the stages of the exploit. Let’s begin!
North Korean Crypto Attacks: Initial Discovery And Infection
The initial discovery of these North Korean crypto attacks can be traced back to an FBI warning, in which the law enforcement agency mentioned that “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.”
In addition, cybersecurity experts from Jamf also issued a report pertaining to an attack during which malware that was disguised as a Visual Studio updater was being used. SentintelLabs, last month, also detected a phishing attempt on a crypto-related entity. During this North Korean crypto attack, a dropper application was being used. Commenting on the attack, SentielLabs experts stated that:
“We believe the campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics. We dubbed this campaign ‘Hidden Risk’ and detail its operation and indicators of compromise below, including the use of a novel persistence mechanism abusing the zshenv configuration file.”
Phishing Emails And PDFs
As far as the initial infection sequence pertaining to the North Korean crypto attack is concerned, a phishing email containing a link to a malicious application is used. Experts note that this application is disguised as a link to a PDF document about cryptocurrency topics that may include:
-
Hidden Risk Behind New Surge of Bitcoin Price.
-
Altcoin Season 2.0-The Hidden Gems to Watch.
-
New Era for Stablecoins and DeFi, CeFi.
The fundamental objective of this phishing email is to hijack the name of a real person. The name used belongs to an individual in an unrelated sector and is used as a sender posing to be a crypto social media influencer. Providing insight into the malicious use of PDFs, experts have stated that:
“In the case of the ‘Hidden Risk’ pdf, the threat actors copied a genuine research paper entitled ‘Bitcoin ETF: Opportunities and risk’ by an academic associated with the University of Texas and hosted online by the International Journal of Science and Research Archive (IJSRA).”
Based on these attack tactics, and the use of the Hidden Risk malware, the North Korean crypto attacks are being linked to the BlueNoroff. It’s worth noting that this hacker has been associated with other malware families that include:
-
RustBucket.
-
KANDYKORN.
-
ObjCShellz.
-
RustDoor (aka Thiefbucket).
-
TodoSwift.
In addition, the domain used for these North Korean crypto attacks (kalpadvisory[.]com) is known for spamming initiatives in online communities pertaining to the Indian stock market. The open link used in the phishing emails, at a later stage, transitions to serving the first stage of the North Korean crypto attacks.
Hidden Risk Malware: Bait and Switch Dropper Application
The initial stage of the North Korean crypto attack, contains a Mac application that has been developed using Swift. Those keen on ensuring protection must know that this application displays the same name as the PDF file delivered via the phishing email and has the “Education.LessonOne” bundle identifier.
In addition, the North Korean crypto attacks app also uses a universal architecture Mach-O executable, LessonOne. Commenting on the application bundle, cybersecurity experts have stated that:
“The application bundle was signed and notarized on 19 October, 2024 with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948)”. The signature has since been revoked by Apple.”
Once the malicious application is launched, it downloads a decoy PDF file named Hidden Risk from Google Drive. This PDF is automatically opened using the default PDF viewer on macOS. The PDF is then written into a temporary file and moved to “/Users/Shared” by using the NSFileManager’s “moveItemAtURL:toURL:error” method.
Once this sequence of events is complete, the malware then downloads and executes another malicious payload, an x86-64 binary sourced from “matuaner[.]com” via a URL that is hard-coded into the Stage 1. macOS, by default, does not allow an application to be downloaded from insecure HTTP protocols.
However, with the use of advanced tactics, the North Korean crypto attacks are observed to have bypassed these security protocols. Providing insights into how such a protocol is breached, experts have stated that:
“The application’s Info.plist specifies this domain in the dictionary for its NSAppTransportSecurity key and sets the NSExceptionAllowsInsecureHTTPLoads value to “true.” The Info.plist also indicates that the application was built on a macOS 14.2 Sonoma machine but will run on both Intel and Apple silicon Macs with macOS 12 Monterey or later.”
The “Growth” Binary Executable
Before we dive into the details of the malicious binary that’s downloaded in the first stage, it’s essential to know that this binary is a single architecture Mach-O x86-64 executable. As a result, its parent dropper can execute on both Intel and Apple silicon machines. However, the Stage 2 of these North Korean crypto attacks will only be functional on:
-
Intel architecture Macs.
-
Apple silicon devices that have the Rosetta emulation framework installed.
This executable is written in C++ with the overall objective of serving as a backdoor that could be used for executing remote commands. Once the “growth” binary is executed, it performs a variety of different functions that include:
-
Calling the “sym.install_char__char_” function to install persistence.
-
Running multiple commands to gather information about the host and to generate a UUID of length 16. These commands include “sw_vers ProductVersion,” “sysctl hw.model” and “sysctl kern.boottime.”
-
Calculating the current date and time and performing “ps aux” to list running processes.
-
Sending the string “ci” to a remote server using the “DoPost” function and waiting for the C2 response.
-
Using the “ProcessRequest” function to parse the response.
-
Sleeping for 60 seconds and then starting the flow again from the third step.
It’s worth noting that the functionality of the backdoor operations of these North Korean crypto attacks resembles previous malware. However, a unique aspect here is the persistence mechanism that exploits the Zshenv configuration file.
Having such infection capabilities allows the host to develop stronger persistence. Commenting on such a persistence development tactic, experts have stated that:
“While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors. It has particular value on modern versions of macOS since Apple introduced user notifications for background Login Items as of macOS 13 Ventura.”
Given the impact of the North Korean crypto attacks, macOS users are encouraged to update to the latest security protocols and focus on developing awareness pertaining to the risk they are exposed to. Having such insights can help in developing a security strategy that reduces risk exposure, leading to greater protection.
Schlussfolgerung
The North Korean crypto attacks demonstrate a sophisticated, evolving approach to targeting macOS users in the cryptocurrency sector. Utilizing multi-stage malware, social engineering tactics, and advanced persistence methods, these campaigns emphasize the need for heightened awareness and strong security practices.
Regular software updates, caution with unknown emails, and staying informed about current threat tactics are essential to reducing risk and enhancing protection. As cyber threats continue to advance, proactive security measures remain critical for safeguarding against these kinds of targeted attacks.
The sources of this piece include articles in The Hacker News and SentielLabs.