North Korean APT Caught Experimenting With macOS Malware

Executive Summary

On Tuesday, November 12, 2024, Jamf Threat Labs, a company specializing in securing Apple devices, published a report claiming the discovery of macOS-targeted malware which had registered as a false negative on Virus Total [2]. Malware analysis showed that the malware aligned closely with North Korean techniques and had been built with Flutter, an open-source programming framework designed to build, blueprint, and maintain applications across iOS, Android, Linux, macOS, Windows, and the web [5]. The malware included direct github clones of games like Minesweeper and were targeted at those in the crypto world with titles like “New Updates in Crypto Exchange” [4]. Most notably, in order to evade detection and take control of the device, the malware would have its malicious AppleScript written backward which would then be rearranged on the client’s side [4]. Techniques like this were likely the reason why the ‘developers’ behind the malware were not stopped earlier as both were signed and notarized with Apple developer IDs. Since the malware’s discovery, their signatures have been revoked [3]. Other variants of the malware were also created in different languages like Golang and Python which shows a pattern of prioritizing accessibility [2].

Background

When it comes to cryptocurrency theft, North Korean APTs are some of the most infamous in both their scale and their persistence. Ever since the fall of the Soviet Union and the stoppage of military subsidies, North Korea has had to find their own way of obtaining funds. With the rise of cryptocurrency and its ability to conceal transactions without regulations, North Korea has now found itself in the business of stealing cryptocurrency directly from people’s wallets. This specific instance is not the first time North Korea has targeted cryptocurrency as other North Korean APTs such as Lazarus have been stealing cryptocurrency since 2017. Since its financial situation is unlikely to change, North Korea is expected to continue its cryptocurrency operations well into the future. 

Impact

With this discovery being so recent it is unclear if the malware has been used against any targets or if the attacker is preparing a new form of delivery following its uncovering [3]. Despite this, North Korean threats are notorious for their extensive use of social engineering as a primary delivery mechanism, especially when it comes to cryptocurrency and decentralized finance businesses [3]. Apple is likely to be on high alert and more stories are likely to follow.

Significance

Cryptocurrency holders and small businesses should take this as the warning that it is: if you have an Apple device — watch out. No matter what OS platform a person runs their programs on, they are still vulnerable to malware and especially social engineering. People and companies must remember the basic tenets of preventing social engineering: never open suspicious emails, never open suspicious links, never open suspicious files, always check for authentication before giving away any information to anyone, and in general trust your gut [1].

References

[1] Cybersecurity & Infrastructure Security Agency, “Avoiding Social Engineering and Phishing Attacks,” 2021 https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks 

[2] Jamf Threat Labs, “APT Actors Embed Malware within macOS Flutter Applications,” 2024 https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/ 

[3] Lakshmanan R., “North Korean Hackers Target macOS Using Flutter-Embedded Malware,” 2024 https://thehackernews.com/2024/11/north-korean-hackers-target-macos-using.html 

[4] Orr A., “North Korean hackers use infected crypto apps to target Macs,” 2024 https://appleinsider.com/articles/24/11/12/north-korean-hackers-use-infected-crypto-apps-to-target-mac-devices 

[5] Vasquez C., “North Korean-linked hackers were caught experimenting with new macOS malware,” 2024 https://cyberscoop.com/north-korea-macos-malware-flutter-jamf/