Security researchers have discovered new macOS malware that appears to come from a notorious North Korean hacker group to target cryptocurrency-related businesses.
The “Hidden Risk” malware arrives via phishing emails filled with fake news headlines and edited articles about cryptocurrency-related topics, according to researchers at cybersecurity vendor SentinelOne.
Phishing emails attempt to trick recipients into clicking an embedded link, which can download a malicious program. “The app is disguised as a link to a PDF document related to a cryptocurrency topic such as “Hidden Risk Behind New Bitcoin Price Surge”, “Altcoin Season 2.0-Hidden Gems” and “New Era for stablecoins and DeFi”. CeFi,'” wrote the researchers, who saw phishing emails targeting “a crypto-related industry” last month.
(Credit: SentinelOne)
Measuring just 698KB in size, the malware is also called “Hidden Risk Behind New Bitcoin Price Rise.app” and can run on Macs built with Intel and Apple silicon. The program also received an official notarization from Apple on October 19, thanks to hackers who apparently hijacked a legitimate Apple developer account from a third-party company in India.
(Credit: SentinelOne)
Launching the program will cause it to download a decoy PDF document while also receiving and executing a special malicious payload. This second malicious payload is designed to run on Intel-powered Macs, but it can also be launched on an Apple silicon Mac through the company’s Rosetta translation layer program if it’s already installed.
This can create a backdoor on the Mac, creating a communication channel with a server controlled by hackers. The same backdoor can also execute commands and install an additional payload to continue on the Mac computer.
Although SentinelOne noticed the phishing emails last month, the hacking campaign likely started as early as July. Researchers also suspect North Korea’s BlueNoroff group is behind the attacks, pointing to the Internet domain and IP addresses used to host the attacks and their connection to previous hacking campaigns.
Recommended by our Editors
“One factor that is relatively consistent throughout many of these campaigns is that threat actors are seemingly able to buy or hijack at will the valuable accounts of Apple ‘identified developers,’ have their malware notarized by Apple and bypass macOS Gatekeeper and other built-in Apple security technologies,” added SentinelOne researchers since Apple has deregistered the malware.
(Credit: SentinelOne)
It’s not the first time BlueNoroff has targeted macOS. A year ago, security researchers also discovered evidence that the group was behind a particular type of macOS malware that masqueraded as a PDF viewer app. Experts believe BlueNoroff is a sub-unit under Lazarus, the North Korean state-sponsored hacking group perhaps best known for the 2014 Sony Pictures hack and numerous crypto-related heists.
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
About Michael Kahn
Senior reporter
