North Korean hackers are launching new malware targeting Apple devices as part of their cyberattack campaign against cryptocurrency companies.

According to a report released by cybersecurity firm Sentinel Labs on Wednesday, attackers disguise themselves as trusted individuals on messaging apps like Telegram, then initiate requests masquerading as Zoom meetings through Google Meet links, sending victims content disguised as Zoom update files.

Once the "update" is executed, the malicious payload installs malware named "NimDoor" on Mac computers, locking down cryptocurrency wallets and browser passwords.

Previously, Mac computers were generally considered less susceptible to hacking and exploitation, but this situation has changed.

Although the attack vector is relatively common, the malware is written in a rare programming language called Nim, making it harder for security software to detect.

Researchers stated, "While the early stages of the attack still follow North Korean (DPRK) patterns of social engineering, bait scripts, and disguised updates, the use of Nim-compiled binaries on macOS is quite rare."

Nim is a newer and less common programming language that can run on platforms like Windows, Mac, and Linux without modification, and is gradually being adopted by cybercriminals. This means hackers only need to write one set of malicious code for cross-platform deployment.

Nim also features efficient compilation, the ability to generate standalone executable files, and is extremely difficult to detect.

Sentinel researchers noted that North Korean threat groups had previously experimented with programming languages like Go and Rust, but Nim offers significant advantages.

Researchers pointed out that the payload includes a credential-stealing tool "specifically designed to silently extract browser and system-level information, package it, and exfiltrate it."

Additionally, it contains scripts specifically for stealing Telegram's local encrypted database and decryption keys.

The malware also activates ten minutes later to evade detection by security scanners.

Cybersecurity solution provider Huntress reported in June that similar malware intrusions were linked to the North Korean state-sponsored hacking group "BlueNoroff."

Researchers highlighted that a notable feature of this malware is its ability to bypass Apple's memory protection mechanisms to inject the malicious payload into the system.

The malware can be used for keylogging, screen recording, clipboard data retrieval, and includes a "fully functional information-stealing tool" named CryptoBot, which "specifically targets cryptocurrency theft." This information stealer can penetrate browser extensions, specifically looking for wallet plugins.

This week, blockchain security company SlowMist warned users to be vigilant against a "large-scale malicious campaign" involving dozens of counterfeit Firefox extensions aimed at stealing cryptocurrency wallet credentials.

Sentinel Labs researchers concluded, "In recent years, we have seen macOS increasingly become a target for threat actors, especially high-skilled, state-sponsored attackers." This phenomenon also shatters the myth that "Macs don't get viruses."

Related: Arizona Governor vetoes bill on seized cryptocurrency reserve fund

Original article: “North Korean Hackers Exploit Rare Mac Vulnerability to Target Crypto Projects”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。