North Korean Hackers Employ NimDoor Malware to Attack Apple Gadgets
In a recent development, a new malware known as NimDoor has been identified, targeting cryptocurrency companies on Apple devices. This malware, linked to North Korean threat actors, employs a sophisticated social engineering attack via Telegram and fake Zoom updates.
The attack begins when the attackers impersonate trusted contacts on Telegram, sending victims invitations to fake Zoom meetings through Google Meet or Calendly links. They then provide what appears to be a legitimate Zoom update file, often named something like “zoom_sdk_support.scpt.” This file, however, contains a disguised script with thousands of lines of padding and intentional typos to obfuscate its true malicious function.
When the victim executes this fake Zoom update on their Mac, it installs the NimDoor backdoor malware. NimDoor is a rare and complex macOS malware written in the Nim programming language, combined with AppleScript and C++ components. This malware is specifically designed to stealthily steal sensitive information such as cryptocurrency wallet data, browser passwords, Keychain credentials, and Telegram user data from targeted Web3 and crypto firms.
NimDoor uses multiple advanced techniques to evade detection and maintain persistence. It bypasses Apple’s memory protections and traditional antivirus detection by using Nim, which is less common and allows cross-platform operation without code changes. The malware also uses encrypted communications via TLS-encrypted WebSocket for stealthy data exfiltration and employs persistence mechanisms that reinfect the system if terminated.
Moreover, NimDoor mimics legitimate AppleScript tools and injects malicious processes to avoid detection. It uses AppleScripts and Bash scripts for command and control, data theft, and persistence.
It's important to note that this article is not financial advice and readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
The Lazarus Group, the threat actors behind NimDoor, have recently shifted toward using Nim for their malware development. The malware developed by the Lazarus Group bundles the information harvested and transmits it to the attackers. The malware is a single strain that can operate seamlessly across multiple operating systems, increasing the efficiency and reach of their attacks.
Additionally, the malware developed by the Lazarus Group targets Telegram, extracting both its encrypted local database and the corresponding decryption keys. The malware also includes a credential-stealing component that discreetly harvests browser and system-level data. The malware employs a delayed activation mechanism, waiting ten minutes before executing its operations.
Nim is gaining traction among cybercriminals due to its cross-platform capabilities, allowing the same codebase to run on Windows, Linux, and macOS without modification.
In conclusion, the NimDoor attack relies heavily on social engineering through trusted communication platforms (Telegram) and the lure of a fake Zoom update to compromise Apple Mac devices in the cryptocurrency sector, enabling North Korean threat actors to steal valuable crypto assets and confidential information.
[1] [URL of the first source] [2] [URL of the second source] [3] [URL of the third source] [4] [URL of the fourth source]
- The Lazarus Group, known for NimDoor, has been using the Nim programming language more frequently in their malware development, as it allows for cross-platform capabilities and can stealthily extract sensitive information like cryptocurrency wallet data and Telegram user data.
- To maintain persistence and evade detection, NimDoor, a sophisticated macOS malware, employs encrypted communications, bypasses Apple’s memory protections, and uses a delayed activation mechanism, making it a serious threat to the security of technology in the cybersecurity field, particularly in the cryptocurrency sector.
