North Korean hackers are employing advanced malware tactics to infiltrate Web3 and cryptocurrency companies, specifically targeting macOS systems. Recent analysis by security researchers reveals a sophisticated campaign actively utilizing fake Zoom invitations to distribute malware designed to evade conventional security measures.
The malware, referred to as “NimDoor,” integrates social engineering techniques with deceptive AppleScripts and binaries compiled using the Nim programming language. This programming language is relatively uncommon on macOS, complicating detection efforts.
The attack typically commences with the attackers impersonating trusted individuals through messaging platforms like Telegram. Victims are convinced to schedule Zoom meetings via shared Calendly links.
Malicious emails then follow, containing compromised AppleScript files disguised as updates for the Zoom SDK. To avoid detection, these scripts are padded with thousands of lines of irrelevant code, fetching additional malware from servers that mimic legitimate Zoom domains upon execution.
Once the malicious scripts are activated, they install two main types of binaries on the victim’s machine—one coded in C++ and another in Nim. These binaries maintain persistent access and facilitate data exfiltration using unconventional methods for macOS, such as process injection with unique entitlements.
Encrypted communications over WebSockets enhance their stealth, while signal-based mechanisms ensure reinstallation if the malware is terminated or the system is rebooted. Data theft is executed through Bash scripts that scrape sensitive information from browsers and applications, including browser history, Keychain credentials, and Telegram data.
The malware utilizes deceptive file names to blend in with legitimate system files and employs various anti-analysis measures to evade detection. To protect against such threats, users are advised not to execute scripts from unexpected emails or messages.
They should scrutinize URLs for authenticity, keep their systems updated, and utilize reputable security tools capable of detecting unusual behaviors. Regular reviews of login items and system agents are also recommended to identify unauthorized software.
Meanwhile, strong password practices and the enablement of multi-factor authentication offer additional layers of security.
Leave a Reply