North Korean Cybercriminals Employ NimDoor Malware to Attack Apple Gadgets
In a recent development, North Korean threat actors have launched a new cyberattack campaign aimed at cryptocurrency companies using Apple devices. The attack, dubbed NimDoor, infiltrates these devices primarily through social engineering on platforms like Telegram.
The attackers impersonate trusted contacts on messaging apps, sending malicious files disguised as fake Zoom update installers. Victims, tricked into executing these files on their Macs, unknowingly install the NimDoor malware.
NimDoor is a sophisticated tool, designed to evade detection. It is written in the Nim programming language, an uncommon choice in malware, which compiles into standalone executables that run cross-platform on macOS, Windows, and Linux without modification. This novelty helps it evade signature-based detection.
The malware also bypasses Apple’s memory protection mechanisms, allowing it to operate stealthily on macOS. Once installed, NimDoor steals data from crypto wallets, browsers, and even Telegram, using tactics designed to evade detection.
To avoid automated security scanners, NimDoor incorporates smart timing delays, such as waiting 10 minutes after execution before activating its malicious payload, reducing the likelihood of detection in sandbox environments.
The malware includes components that are designed to evade detection, making it difficult for security tools to identify and neutralize. A script within the malware targets Telegram by extracting both its encrypted local database and the corresponding decryption keys, increasing the scope of credential theft beyond just browsers and wallets.
Researchers at cybersecurity firm SentinelLabs uncovered the new social engineering tactic used by North Korean threat actors. They noted that the use of the Nim programming language in the malware makes it less recognizable to conventional security tools and potentially more difficult to analyze and detect.
The shift toward using Nim in the North Korean cyberattack campaign reflects a strategic advantage, as it allows threat actors to develop a single malware strain that can operate seamlessly across multiple operating systems, increasing the efficiency and reach of their attacks.
The social engineering tactics and the use of fake software updates in the attack are similar to those commonly associated with DPRK-linked campaigns. The attackers begin by posing as a trusted contact on messaging platforms like Telegram, engaging the victim in conversation to establish credibility. They then invite the target to a fake Zoom meeting, disguised as a Google Meet session, and follow up by sending a file that mimics a legitimate Zoom update.
In summary, NimDoor penetrates Mac systems through tailored phishing-like attacks impersonating trusted contacts delivering fake Zoom updates, uses an uncommon programming language to evade detection, implements cross-platform capabilities, strategically delays activation, and targets targeted data such as crypto wallets, browser passwords, and Telegram credentials. These approaches make it a sophisticated tool aligned with North Korean hackers’ focus on cryptocurrency companies.
Security researchers have identified a new malware strain, NimDoor, used in North Korean cyberattacks on cryptocurrency companies. Written in the Nim programming language, this malware targets Apple devices, specifically Macs, and employs tactics such as social engineering on Telegram and evasion of detection through smart timing delays and multisystem capabilities. Moreover, it steals data from crypto wallets, browsers, and even Telegram, causing concern for the security of technology used in these industries.
