Beware! North Korean Hackers Target Mac Users in a Very Creative Way
The post Beware! North Korean Hackers Target Mac Users in a Very Creative Way appeared on BitcoinEthereumNews.com. SentinelLabs, the research and threat intelligence arm of cybersecurity firm SentinelOne, has delved into a new and sophisticated attack campaign called NimDoor, targeting macOS devices from DPRK bad actors. The elaborate scheme involves using the programming language Nim to inject multiple attack chains on devices used in small Web3 businesses, which is a recent trend. Self-proclaimed investigator ZachXBT has also uncovered a chain of payments made to Korean IT workers, which could be part of this ingenious group of hackers. How The Attack is Executed The detailed report by SentinelLabs describes a novel and obfuscated approach to breaching Mac devices. It begins in a now-familiar way: by impersonating a trusted contact to schedule a meeting via Calendly, with the target subsequently receiving an email to update the Zoom application. You can find more information on this particular scam trick in our detailed report here. The update script ends with three lines of malicious code that retrieve and execute a second-stage script from a controlled server to a legitimate Zoom meeting link. Clicking on the link automatically downloads two Mac binaries, which initiate two independent execution chains: the first scrapes general system information and application-specific data. The second ensures that the attacker will have long-term access to the affected machine. The attack chain then continues by installing two Bash scripts via a Trojan. One is used to target data from specific browsers: Arc, Brave, Firefox, Chrome, and Edge. The other steals Telegram’s encrypted data and the blob used to decrypt it. The data is then extracted to the controlled server. What makes this approach unique and challenging for security analysts is the use of multiple malware components and varied techniques employed to inject and spoof malware, making it very difficult to detect. Similar attacks have also been detected by Huntabil.IT in…
The post Beware! North Korean Hackers Target Mac Users in a Very Creative Way appeared on BitcoinEthereumNews.com.
SentinelLabs, the research and threat intelligence arm of cybersecurity firm SentinelOne, has delved into a new and sophisticated attack campaign called NimDoor, targeting macOS devices from DPRK bad actors. The elaborate scheme involves using the programming language Nim to inject multiple attack chains on devices used in small Web3 businesses, which is a recent trend. Self-proclaimed investigator ZachXBT has also uncovered a chain of payments made to Korean IT workers, which could be part of this ingenious group of hackers. How The Attack is Executed The detailed report by SentinelLabs describes a novel and obfuscated approach to breaching Mac devices. It begins in a now-familiar way: by impersonating a trusted contact to schedule a meeting via Calendly, with the target subsequently receiving an email to update the Zoom application. You can find more information on this particular scam trick in our detailed report here. The update script ends with three lines of malicious code that retrieve and execute a second-stage script from a controlled server to a legitimate Zoom meeting link. Clicking on the link automatically downloads two Mac binaries, which initiate two independent execution chains: the first scrapes general system information and application-specific data. The second ensures that the attacker will have long-term access to the affected machine. The attack chain then continues by installing two Bash scripts via a Trojan. One is used to target data from specific browsers: Arc, Brave, Firefox, Chrome, and Edge. The other steals Telegram’s encrypted data and the blob used to decrypt it. The data is then extracted to the controlled server. What makes this approach unique and challenging for security analysts is the use of multiple malware components and varied techniques employed to inject and spoof malware, making it very difficult to detect. Similar attacks have also been detected by Huntabil.IT in…
What's Your Reaction?
