A North Korean threat campaign is targeting Web3 and cryptocurrency platforms with a macOS-specific malware tracked as “NimDoor.”
That comes from Phil Stokes and Raffaele Sabato of SentinelOne’s SentinelLABS threat research team, who wrote a blog post on July 2 detailing a macOS-specific threat campaign utilizing binaries compiled with Nim, a cross-platform programming language.
Threat actors tied to the Democratic People’s Republic of Korea (DPRK) used social engineering tactics and the Telegram messaging platform to instruct targets in the Web3 and cryptocurrency spaces to run a fake “Zoom SDK update script” that kicks off the infection chain. The malware ultimately steals Telegram user data, browser data, and Apple Keychain credentials.
Although the campaign is new, others reminiscent of it have been seen before. For example, last summer security researcher Patrick Wardle explained how North Korean threat actors delivered a macOS infostealer by spoofing the video calling service Microtalk. And although not specific to North Korea, Cado Security last August described a macOS infostealer that targets browser credentials and cryptocurrency wallets.
SentinelOne also previously detailed a campaign where DPRK threat actors would get targets to install macOS malware under the pretense of a job interview. That is of course not to be confused with the increased rampancy of North Korean IT worker scams.
SentinelOne’s research is based in part on previous research published in April by Huntabil.IT and another by Huntress last month.
How NimDoor Works
According to Stokes and Sabato, the attack chain starts with the threat actor posing as one of the target’s trusted Telegram contacts and inviting them to schedule a Calendly meeting. The target is sent a Zoom meeting link with instructions to install a “Zoom SDK update script.”
The script, “zoom_sdk_support.scpt,” is padded with significant whitespace to obfuscate its last three lines — malicious code that retrieves and executes “a second-stage script from a command-and-control server.”
The command-and-control domain also looks looks similar to a Zoom support link. Additionally, Stokes and Sabato said in the blog, “The follow-on script downloads an HTML file named check, which includes a legitimate Zoom redirect link.”
Once threat actors get their hooks in, multiple binaries are installed. Though elements of how the malware works differ depending on instances of the tracked campaign, the broader components of the attack are split into those used for infostealing — namely, browser data, Keychain data, and Telegram user data — and those used for long-term persistence.
Defender Takeaways
Stokes and Sabato highlighted multiple unique attributes involving NimDoor, including a persistence mechanism that “takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted,” as well as “a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol.” The researchers called the latter particularly unusual for macOS malware.
Stokes and Sabato concluded that NimDoor on the whole highlights how threat actors are using cross-platform programming languages in ways “that introduce new levels of complexity for analysts.”
In an email, Stokes tells Dark Reading that defenders should review indicators of compromise included in the blog post and ensure they’re using trusted endpoint protection. Moreover, as is the case with all social engineering campaigns, defenders should be wary of common attack attempts.
“End users and those working in Web3 and Crypto are advised to treat any unsolicited approaches for meetings from contacts via social media, particularly Telegram, with caution,” Stokes says. “Any request to update or download software in order to facilitate such a meeting should be considered a red flag.”
