News North Korean hackers deploy Hidden Risk malware against crypto firms on macOS

[d0ctrine]

North Korean hackers deploy Hidden Risk malware against crypto firms on macOS
​

BlueNoroff-linked campaign uses email phishing with fake PDFs to infect Apple devices.

North Korean-linked hackers targeting cryptocurrency firms have deployed Hidden Risk, a multi-stage malware campaign designed to infect Apple macOS devices, according to cybersecurity firm SentinelOne.

SentinelOne attributed the Hidden Risk campaign with high confidence to the BlueNoroff group, previously associated with malware families like RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.

The campaign involves sending emails that propagate fake news about cryptocurrency trends, enticing targets to open a malicious application disguised as a PDF file, researchers Raffaele Sabato, Phil Stokes, and Tom Hegel reported in a briefing shared with The Hacker News.

Campaign Timeline and Tactics​

"The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics," the researchers stated.

A September 2024 advisory by the US Federal Bureau of Investigation (FBI) reveals that such campaigns are part of "highly tailored, difficult-to-detect social engineering" attacks aimed at employees in the decentralized finance (DeFi) and cryptocurrency sectors.

The phishing attacks typically present bogus job opportunities or corporate investment propositions, engaging targets over extended periods to build trust before delivering malware payloads.

In late October 2024, SentinelOne observed an email phishing attempt targeting the crypto industry that delivered a dropper application named "Hidden Risk Behind New Surge of Bitcoin Price.app," hosted on delphidigital.org.

Technical Analysis​

Developed in the Swift programming language, the application was signed and notarized on October 19, 2024, using the Apple developer ID "Avantis Regtech Private Limited (2S8XHJ7948)." However, Apple has since revoked the signature.

Upon execution, the application displays a decoy PDF file from Google Drive and stealthily downloads a second-stage Mach-O x86-64 executable from a remote server. This C++-based unsigned binary functions as a backdoor, enabling remote command execution.

The backdoor incorporates a novel persistence mechanism that exploits the zshenv configuration file, marking the first known use of this technique by malware authors in the wild.

"It has particular value on modern versions of macOS since Apple introduced user notifications for background Login Items as of macOS 13 Ventura," the researchers noted.

"Apple's notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a notification in current versions of macOS."

Infrastructure and Evolution​

BlueNoroff has also utilized domain registrar Namecheap to establish infrastructure themed around cryptocurrency, Web3, and investments, lending an air of legitimacy to their operations. Common hosting providers include Quickpacket, Routerhosting, and Hostwinds.

The attack chain shares elements with a previous campaign highlighted by Kandji in August 2024, which used a similarly named macOS dropper application "Risk factors for Bitcoin's price decline are emerging(2024).app" to deploy TodoSwift malware.

The shift in tactics by the threat actors remains unclear, potentially as a response to increased public scrutiny. "North Korean actors are known for their creativity, adaptability, and awareness of reports on their activities, so it's entirely possible that we're simply seeing different successful methods emerge from their offensive cyber program," Stokes told The Hacker News.

Another concerning aspect is BlueNoroff's capability to acquire or hijack valid Apple developer accounts to have their malware notarized by Apple, bypassing security measures.

Broader Context and Related Activities​

"Over the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive 'grooming' of targets via social media," the researchers noted.

"The Hidden Risk campaign diverts from this strategy, taking a more traditional and cruder, though not necessarily any less effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident."

The ongoing campaign coincides with other North Korean hacker activities aimed at securing employment with Western companies and delivering malware through compromised codebases and conferencing tools, often disguised as hiring challenges or assignments.

The two intrusion sets, known as Wagemole (aka UNC5267) and Contagious Interview, have been linked to the threat group Famous Chollima (aka CL-STA-0240 and Tenacious Pungsan).

ESET, which refers to Contagious Interview as DeceptiveDevelopment, classifies it as a new Lazarus Group activity cluster focused on targeting freelance developers worldwide for cryptocurrency theft.

"The Contagious Interview and Wagemole campaigns showcase the evolving tactics of North Korean threat actors as they continue to steal data, land remote jobs in Western countries, and bypass financial sanctions," said Zscaler ThreatLabz researcher Seongsu Park.

"With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike."