North Korean BlueNoroff Group Targets Crypto Businesses with New macOS Malware
The North Korean hacking group, BlueNoroff, has initiated a new campaign named Hidden Risk, targeting cryptocurrency businesses with a sophisticated multi-stage malware designed specifically for macOS systems. This campaign employs phishing emails to lure victims with fake news about recent cryptocurrency activities.
Innovative Persistence Mechanism Evades Detection
The malware used in these attacks utilizes a novel persistence mechanism on macOS that does not trigger any alerts on the latest versions of the operating system, allowing it to evade detection effectively. BlueNoroff has a history of targeting macOS for cryptocurrency thefts, previously using the malware ‘ObjCShellz’ to open remote shells on compromised Macs.
Infection Chain: Phishing Emails and Malicious Links
The attack begins with a phishing email that appears to be forwarded by a cryptocurrency influencer. The email contains a link supposedly leading to a PDF with cryptocurrency news, but it actually points to the “delphidigital[.]org” domain controlled by the attackers. According to SentinelLabs researchers, this URL may serve a benign Bitcoin ETF document but can also deliver the first stage of a malicious application bundle named ‘Hidden Risk Behind New Surge of Bitcoin Price.app.
Fake PDF (left) and original source (right)
Source: SentinelLabs