• Posted by: Michael Johnson
• November 08, 2024

North Korean BlueNoroff Group Targets Crypto Firms with macOS Malware

In a recent campaign dubbed "Hidden Risk," the North Korean-linked threat actor BlueNoroff has been targeting cryptocurrency businesses with a sophisticated macOS malware infection chain. Discovered by cybersecurity firm SentinelOne, this multi-stage malware attack relies on email phishing and PDF lures to gain initial access and compromise crypto-related firms and DeFi (Decentralized Finance) employees.

How the Hidden Risk Campaign Works

According to SentinelOne researchers Raffaele Sabato, Phil Stokes, and Tom Hegel, the Hidden Risk campaign exploits the trust associated with cryptocurrency news by delivering malware disguised as a legitimate PDF file about crypto trends. The attack chain typically follows these steps:

1. Email Phishing Lures: The attack begins with emails containing fake cryptocurrency news or job offers, enticing victims to open a malicious application disguised as a PDF file.
2. Payload Delivery: Once opened, the malicious app, named "Hidden Risk Behind New Surge of Bitcoin Price.app," downloads a decoy PDF file while covertly retrieving a second-stage Mach-O executable from a remote server, which acts as a backdoor for remote command execution.
3. Advanced Persistence: To maintain persistence, the malware leverages a novel persistence method via the zshenv configuration file, a technique previously unseen in the wild. This approach allows the malware to bypass macOS’s user notifications for background tasks, introduced in macOS 13 Ventura.

The Threat Actor's Infrastructure and Targeting Strategy

To appear legitimate, the BlueNoroff group registers domains through Namecheap, hosting its infrastructure on popular providers like Quickpacket and Hostwinds. This infrastructure focuses on themes surrounding cryptocurrency, Web3, and investment. The malware also exploits signed and notarized Apple developer IDs, indicating BlueNoroff’s ability to acquire or compromise valid Apple credentials.

Links to Other North Korean Cyber Campaigns

The campaign reflects similarities to a previous campaign highlighted by Kandji in August 2024, where BlueNoroff used similarly named macOS dropper apps like "Risk factors for Bitcoin’s price decline are emerging(2024).app." Additionally, North Korean cyber operations have increasingly targeted Western crypto firms and freelance developers through online social engineering tactics, as observed in recent Wagemole and Contagious Interview campaigns, attributed to another North Korean group, Famous Chollima (also known as Lazarus Group).

Security Measures for Cryptocurrency Firms

This campaign underscores the risks that cryptocurrency and DeFi organizations face from advanced persistent threat (APT) groups. To mitigate these risks, firms should:

1. Enhance Email Security: Implement email filtering for phishing detection, particularly for job offers and investment opportunities.
2. Monitor Developer Accounts: Regularly check for unauthorized developer account activity and application notarization.
3. Use Threat Intelligence: Employ threat intelligence to detect North Korean-linked indicators of compromise (IoCs) and phishing infrastructure.
4. Train Employees: Educate staff on phishing detection and security best practices, especially those who might handle sensitive crypto-related data.

As North Korean threat actors adapt their tactics in response to exposure, businesses must remain vigilant, deploying robust cybersecurity defenses to protect against evolving threats targeting the crypto industry.