North Korea allegedly targeting crypto businesses with Mac-focused malware

Mac users in the crypto industry are being targeted with malware by suspected North Korean hackers looking to siphon funds, according to a new report.

Cybersecurity firm SentinelOne published a report on Thursday that links an incident they observed in October to several other attacks that have occurred since April 2023.  

Researchers said they observed a phishing attempt on a crypto-related firm  that was part of a campaign dating back to July of this year. The campaign — which they dubbed “Hidden Risk” — uses email and PDF lures with fake news headlines or stories about crypto-related topics.

The initial infection is achieved through a phishing email containing a link to a malicious application, which is disguised as a link to a PDF document relating to a cryptocurrency topic. Lure examples include“Hidden Risk Behind New Surge of Bitcoin Price,” “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi.”

“The emails hijack the name of a real person in an unrelated industry as a sender and purport to be forwarding a message from a well-known crypto social media influencer,” the researchers said. 

One PDF was modeled after a real research paper from an academic associated with the University of Texas titled “Bitcoin ETF: Opportunities and Risk.” 

Technical evidence tied the campaign to BlueNoroff — a subgroup of hackers the U.S. Treasury Department recently said is part of Lazarus, the most notorious North Korea-based government hacker group .

The U.N. said earlier this year that BlueNoroff was an operation housed within North Korea’s Reconnaissance General Bureau (RGB).

SentinelOne explained that unlike other campaigns previously attributed to BlueNoroff, Hidden Risk involved “an unsophisticated phishing email that does not engage the recipient with contextually-relevant content, such as reference to personal or work-related information.”

The link in the phishing email takes users to the first stage of a malicious application bundle entitled “Hidden Risk Behind New Surge of Bitcoin Price.app.”

The malicious Mac application was signed on October 19 with the Apple Developer ID “Avantis Regtech Private Limited” — a signature that has since been revoked by Apple.

When launched, the application downloads a decoy PDF file and opens it in the Preview app. The backdoor that is installed resembles other malware used previously by BlueNoroff but uses a novel method of persistence, the researchers said. 

The hackers also have built out an extensive network of connected infrastructure that mimics  legitimate Web3, cryptocurrency, fintech and investment organizations, they said. 

Over recent months, the hackers have abused domain registrar NameCheap to create many of the malicious sites and have used email marketing automation tools like Brevo to circumvent spam and phishing detection filters, SentinelOne

The researchers theorized that attention from law enforcement and the cyber industry on previous campaigns may have forced the hackers to shift their activity, but they also noted that it is likely the threat actors are well-resourced enough to launch multiple campaigns at once. 

One key warning is that BlueNoroff appears to be able to acquire or hijack valid Apple “identified developer” accounts at will, which allows them to have their malware notarized by Apple. This enables them to bypass security features repeatedly, enabling attacks on Mac devices.

North Korean groups like BlueNoroff have regularly targeted cryptocurrency-related businesses in an effort to steal funds or insert backdoor malware into devices. 

The SentinelLabs report references several previous findings from security companies like ESET, Jamf and others highlighting BlueNoroff’s attacks on macOS users. 

They added that the FBI warned in September that North Korea was conducting “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance, cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.”