North Korean Hackers Target macOS Using Flutter-Embedded Malware

Summary:
North Korean-linked threat actors have started embedding malware in applications built using Flutter, a cross-platform development framework, specifically to target Apple macOS devices—a first for this adversary. Jamf Threat Labs identified this tactic after analyzing artifacts found on the VirusTotal platform. These Flutter-based applications are part of a larger operation involving malware written in Golang and Python, though it remains unclear how these samples are being distributed to victims or if they have actively targeted anyone yet. The attackers are known for deploying advanced social engineering tactics, especially toward employees in cryptocurrency and decentralized finance sectors, which may suggest a possible testing phase.

One particular malicious app, posing as a Minesweeper game titled "New Updates in Crypto Exchange (2024-08-28)," stands out as it is built in Flutter, with its primary payload written in Dart. The app is a clone of a basic Flutter game for iOS, publicly available on GitHub, which the attackers repurposed to lure victims with a game-themed front. This tactic is similar to one used by another North Korean hacking group, Moonstone Sleet.

To make the app appear legitimate, the threat actors used Apple developer IDs which enabled the app to pass through Apple’s notarization process. These signatures, however, have been revoked by Apple following the discovery. Once opened, the malware communicates with a remote server and is designed to receive and execute commands sent as AppleScript code. A unique feature of the malware is that the AppleScript commands are sent in reverse, making them harder to detect through simple analysis.

Security Officer Comments:
Jamf Threat Labs also uncovered other versions of the malware written in Go and Python, both of which exhibit similar functionality. Jamf Threat Labs also uncovered other versions of the malware written in Go and Python, both of which exhibit similar functionality. These variants, titled “NewEra for Stablecoins and DeFi, CeFi (Protected)[.]app” and “Runner[.]app,” are capable of executing AppleScript payloads received from the server via HTTP responses. The Python version is built using Py2App, a tool that enables Python applications to run on macOS. Jamf has not definitively attributed these attacks to a specific group, but infrastructure overlaps suggest a likely connection to BlueNoroff, a subgroup of the notorious Lazarus Group. BlueNoroff is known for targeting financial entities, particularly in cryptocurrency, and has previously employed similar methods to infiltrate targets.

Suggested Corrections:
Strengthen Application Vetting and Security Policies
:
  • Enforce app whitelisting to only allow trusted applications, reducing the chance of malicious software installation.
Enhanced Monitoring and Detection:
  • Monitor for unusual network requests, particularly to unfamiliar or suspicious domains
  • Deploy endpoint detection and response tools configured to recognize unusual AppleScript usage and reverse-encoded commands, which are a tactic used in this attack.
Secure Apple Developer IDs:
  • Encourage regular audits for developer IDs and certificate usage to prevent unauthorized applications from being signed and notarized.
  • Apple developers should ensure their certificates are securely managed to prevent abuse in social engineering or malware signing by attackers.
Employee Training on Social Engineering:
  • Educate employees, particularly those in cryptocurrency and financial roles, about phishing and social engineering risks.
  • Run regular awareness programs emphasizing the importance of verifying app legitimacy and recognizing game-themed lures, which these attackers have used before.
Link(s):
https://thehackernews.com/2024/11/north-korean-hackers-target-macos-using.html