Skip to content

North Korean hackers are experimenting with a new macOS malware

  • by
  • 2 min read

Security researchers have caught North Korean hackers experimenting with novel malware embedded inside macOS programs built atop an open-source SDK (software development kit).

Researchers at Jamf, a mobile device management software company, detailed that while the code itself was malicious, VirusTotal assumed the three discovered samples to be safe in October. Two of these samples were coded in Golang and Python, while the third used Flutter — a language that heavily hides an application’s code by default. Their report further goes onto claim that “there is nothing inherently malicious about this app architecture, it just so happens to provide a good avenue of obfuscation by design.”

The malware hasn’t officially been attributed to North Korea at the moment, but researchers claim that the techniques and domains used in its development match North Korean hackers’ past activity. More specifically, the malware used had similar infrastructure to the infamous Lazarus group, which is prominently known around the world for its financially motivated cybercrime.

At the time of discovery, the malware was embedded into a Minesweeper clone taken from GitHub. It can’t be said that it has been used in a campaign or was just an experiment for a new attack vector. We know the malicious code was good enough to beat Apple’s App Store security processes. It was also discovered that the malware samples changed a URL request embedded into a code to a malicious domain. In a real-world scenario, this would be the second stage of an attack.

This domain was previously used in a campaign targeting blockchain engineers using macOS devices. Additionally, the malware’s Go variant contained a file named the same as another attack vector used in a different operation targeting macOS devices.

In the News: Iran uses fake job offers to hack aerospace targets in Israel, Turkey, UAE

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>