Summary:
SentinelLabs has identified a new multi-stage malware campaign, named "Hidden Risk", attributed to the North Korean state-backed threat actor BlueNoroff, which targets businesses in the cryptocurrency industry. This campaign marks a departure from BlueNoroff’s previous tactics of targeting the cryptocurrency sector through extensive social media grooming and espionage, and instead uses a more traditional phishing attack as the primary infection method. The phishing emails impersonate well-known cryptocurrency influencers and contain links to malicious macOS applications disguised as PDF documents discussing popular cryptocurrency topics like Bitcoin, altcoins, and stablecoins. These decoy documents are designed to appear as legitimate, timely research reports to increase the chances of convincing victims to download the malicious file.

Once the victim clicks on the phishing link, the initial malware payload is delivered as a Swift-based macOS application that mimics the expected PDF document. The application is signed using a hijacked Apple Developer ID, “Avantis Regtech Private Limited,” and was notarized by Apple on October 19, 2024, before being revoked after its discovery. Upon execution, the application opens a decoy PDF document but simultaneously downloads and installs the second-stage malware, which is an unsigned Mach-O C++ binary (referred to as “growth”). This backdoor payload contacts a remote server to maintain access to the compromised system, ensuring the attackers can continue to gather intelligence and potentially move laterally within the victim's network.

One of the most noteworthy aspects of this campaign is the novel persistence mechanism used by the malware. The second-stage malware takes advantage of the .zshenv configuration file, a shell configuration file for Zsh (the default shell in recent macOS versions). By modifying this file, the malware ensures it is sourced in all Zsh sessions, a technique that bypasses macOS’s user notifications for new persistence items and avoids detection by traditional security measures. This persistence method is more robust than older techniques, which relied on files like .zshrc that would only activate in interactive shell sessions. By using .zshenv, the malware can run in the background, even without user interaction, making it much harder for security tools to detect and remove. Once installed, the malware creates a hidden marker file in /tmp/.zsh_init_success to indicate that the persistence mechanism has been successfully set up.

Analysis of the campaign's network infrastructure, including domains registered through Namecheap and hosted on providers like Quickpacket, Routerhosting, and Hostwinds, reinforces the attribution to BlueNoroff, a well-known North Korean cyber threat group. These malicious infrastructure indicators point to a continued focus by BlueNoroff on the cryptocurrency, Web3, and DeFi sectors. The tactics and infrastructure used in this campaign are similar to a macOS malware attack in August 2024, which also leveraged notarized malware signed with hijacked Apple Developer IDs. This demonstrates that BlueNoroff is actively refining its approach in response to ongoing public reporting on its activities.

The Hidden Risk campaign underscores BlueNoroff’s adaptability and resourcefulness, as the group shifts tactics to avoid detection by using well-known security tools and leveraging stolen credentials to sign their malicious applications. Despite the blunt nature of the initial infection (phishing), the sophistication of the second-stage malware and the stealthy persistence mechanism highlight the group’s continued interest in infiltrating the cryptocurrency sector, which remains a high-value target for financially motivated cyber espionage campaigns. This attack also represents a growing trend of state-sponsored actors targeting emerging sectors like Web3, cryptocurrency, and decentralized finance (DeFi), with the aim of extracting valuable information or diverting funds for state interests.

Security Officer Comments:
The attack also highlights the growing financial and strategic interest of North Korea in the cryptocurrency space. BlueNoroff has been linked to previous campaigns targeting the crypto industry, and the ongoing exploitation of this sector suggests it will continue to be a priority. Although the phishing component of this attack is relatively simple, the overall complexity of the malware and its persistence mechanism demonstrates the group’s ability to adapt and improve their tools to evade detection. This is an example of how cyber adversaries can use conventional methods in new, more effective ways, making it harder for organizations to stay ahead of them.

Suggested Corrections:
To mitigate the risks associated with the Hidden Risk campaign, organizations should implement a multi-layered security approach. First, strengthen email defenses with robust phishing detection tools and train employees to recognize suspicious communications, particularly those impersonating industry figures. Application whitelisting and strict software validation can prevent the execution of unauthorized or signed malware, while regular audits of notarized applications and developer IDs can help identify compromised software.

Link(s):
https://www.sentinelone.com/labs/bl...-with-fake-crypto-news-and-novel-persistence/