Hackers Attacking macOS Users with New Multi-Stage Malware

North Korean threat actors, likely associated with BlueNoroff, have launched multi-stage malware attacks targeting cryptocurrency businesses, expanding their toolkit to include RustDoor/ThiefBucket and RustBucket campaigns. 

Hidden Risk, a DPRK-linked threat actor, employed a novel persistence technique involving Zsh configuration file manipulation.

Malicious PDF attachments disguised as cryptocurrency news were used to deliver the payload, aiming to compromise crypto-related businesses.

Phishing emails disguised as cryptocurrency-related PDF documents exploit social engineering to lure victims into downloading malicious applications often misattributed to legitimate individuals and influencers. They also leverage real research papers to increase credibility and bypass security measures.

Managed Detection and Response Buyer’s Guide – Free Download (PDF)

The fake PDF displayed to targets (left) and the original source document hosted online (right)
The fake PDF displayed to targets (left) and the original source document hosted online (right)

It utilizes a simplistic phishing email devoid of personalized details, contrasting previous BlueNoroff tactics where the sender domain, kalpadvisory[.]com, is linked to spam activities within Indian stock market communities. 

Phishing email with a seemingly harmless link (Bitcoin ETF document) on delphidigital[.]org can dynamically switch to deliver the “Hidden Risk” macOS malware. 

Application icon for the Stage 1 dropper
Application icon for the Stage 1 dropper

Malicious Swift app “Hidden Risk Behind New Surge of Bitcoin Price.app” disguises itself as a PDF, containing a universal Mach-O executable and signed with a revoked Apple Developer ID.

The macOS malware leverages a decoy PDF to establish a foothold, then downloads and executes a malicious x86-64 binary from a hardcoded URL, bypassing macOS’s default HTTP security restrictions through a modified Info.plist file.

The x86-64 Mach-O backdoor, ‘growth,’ targets Intel Macs and Apple silicon devices with Rosetta, a 5.1 MB unsigned C++ executable designed to execute remote commands, leveraging various functions for backdoor activities.

 interesting functions in the ‘growth’ binary
 interesting functions in the ‘growth’ binary

The ‘growth’ binary initiates a persistence mechanism using the sym.install_char__char_ function and subsequently collects system information like OS version, hardware model, boot time, current date, and running processes. A unique 16-character UUID is also generated. 

It fetches host data, sends it to a C2 server, receives instructions, executes them, and repeats, using HTTP POST requests and file operations to interact with the C2 and the system.

The DoPost function constructs and sends the HTTP request
The DoPost function constructs and sends the HTTP request

The “mozilla/4.0” User-Agent and “cur1-agent” identifiers, previously seen in RustBucket malware and similar C2 response parsing and ProcessRequest functions, suggest a connection to past threats.

While the SaveAndExec function processes malicious payloads received from a C2 server, which extracts a command from the payload, creates a hidden file with a random name in the shared user directory, sets its permissions to full access, and executes the command using popen.

The SaveAndExec function changes the file’s permissions and then executes it
The SaveAndExec function changes the file’s permissions and then executes it

The threat actor leverages the Zshenv configuration file for persistent backdoor access, bypassing macOS user notifications.

While not entirely novel, this marks the first observed use by malware authors, providing a stealthy and effective persistence mechanism.

The BlueNoroff threat actor, associated with the Hidden Risk campaign, leverages NameCheap and various hosting services to build a network of infrastructure themed around cryptocurrency and investment organizations. 

Sentinel Labs identified a broader cluster of activity by analyzing infrastructure relationships, DNS records, and bulk domain searches, including potential future targets and spoofing attempts. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

The post Hackers Attacking macOS Users with New Multi-Stage Malware appeared first on Cyber Security News.