North Korean-linked hackers were caught experimenting with new macOS malware
Hackers associated with North Korea were discovered embedding malware inside macOS applications built with an open-source software development kit, according to researchers at Jamf, a company that makes software geared toward mobile device management.
The research, released Tuesday, details malware discovered in late October by researchers on VirusTotal, a popular online file analysis tool. While the code was malicious, the online scanning platform gave the samples a clean bill of health. Jamf found three versions of the malware; two used the programming languages Golang and Python. The third was built using Flutter, which heavily obfuscates the code by default.
Researchers said the techniques and domains associated with the malware “align closely” with North Korean techniques. North Korea typically has financial motivations in mind for cyber operations. Both campaigns were aimed at cryptocurrency-related intrusions and contained similar infrastructure used by North Korea’s Lazarus Group.
Flutter is an open-source programming framework developed by Google for developers to build, design, and maintain applications across iOS, Android, Linux, macOS, Windows, and the web. The development kit is also great at obfuscating malicious code, which makes it harder to reverse engineer.
“There is nothing inherently malicious about this app architecture, it just so happens to provide a good avenue of obfuscation by design,” the report notes.
Jamf researchers say it’s still an open question as to whether the malware was actively used in a campaign or simply to test a new method of attack. The malware was sophisticated enough to bypass Apple’s notarization process, a security mechanism that ensures macOS applications are free from known malware and harmful code.
Yet there was no explicit indication that the malware, which was embedded in a clone of the popular video game Minesweeper that was lifted straight from a Github repository, was used in an attack campaign. Additionally, the malware samples changed a URL request to a malicious domain, which theoretically would have started the next stage of the campaign. However, the report notes that the domain gave a 404 response by the time researchers found the malware.
The domain the malware pointed to was previously used in a campaign discovered by the cybersecurity firm Elastic, aimed at infecting blockchain engineers using macOS-specific malware. To give further credence to the North Korea link, the Go variant of the macOS malware contained the same file name of another “infection vector” that was linked to a different operation, discovered by SentinelOne researchers, targeting macOS devices.
You can read the full research here.