A risk actor allegedly affiliated with the Democratic People’s Republic of Korea (DPRK) has been identified targeting cryptocurrency-related companies with a sophisticated, multi-stage malware.
SentinelOne, a prominent cybersecurity firm, has attributed the marketing campaign in question with unwavering certainty to BlueNoroff, an entity previously tied to malware families such as TrickBot, AZORult, (also known as Ursnif), and GoznViper.
Researchers Raffaele Sabato, Phil Stokes, and Tom Hegel have revealed a sophisticated attack methodology in their latest report shared with The Hacker Information, wherein malicious software is disguised as a PDF file to contaminate targets by spreading fake information about cryptocurrency developments through emails.
“The marketing campaign is set to commence as early as July 2024, leveraging electronic mail and PDF lures that employ fake news headlines or compelling stories related to cryptocurrency.”
As by the U.S. The Federal Bureau of Investigation (FBI) issued an advisory in September 2024 warning that these targeted attacks on workers in the decentralized finance (DeFi) and cryptocurrency sectors are a type of “extremely tailored, challenging to detect social engineering” assault.
Cybercriminals employ a tactic known as bogus job offers or company funding, where they build rapport with their victims over an extended period before deploying malicious software.
In late October 2024, SentinelOne detected a sophisticated email-based phishing attempt targeting a cryptocurrency-focused business. The attack involved a dropper software disguised as a legitimate PDF file, titled “Hidden Danger Behind New Surge of Bitcoin Worth.app”, which was hosted on the compromised domain delphidigital[.]org.
The application, written in Swift, was found to be signed and notarized on October 19, 2024, using the Apple Developer ID “Avantis Regtech Non-public Restricted” (2S8XHJ7948). However, Apple has since revoked the signature.
Upon activation, the device secretly retrieves a seemingly innocuous PDF document from Google Drive, while simultaneously downloading and running a malicious executable from a remote server, unsusceptible to detection by the user. A Mach-O x86-64 executable, a C++-based unsigned binary, functions as a sophisticated backdoor, enabling the execution of remote instructions from a centralized location.
A malicious backdoor exploits a novel persistence mechanism, leveraging an abuse of the zshenv configuration file, a previously unseen tactic in the wild employed by nefarious actors.
“The findings have significant value on contemporary macOS versions, following Apple’s introduction of personal notifications for background login items in macOS 13 Ventura,” the researchers noted.
Apple aims to notify users when a persistent method is implemented, particularly with regards to frequently misused LaunchAgents and LaunchDaemons. Abuse of Zshenv does not trigger notifications in current macOS iterations.
The threat actor has been observed leveraging the services of Namecheap, an area registrar, to establish an infrastructure focused on cryptocurrency, Web3, and investment-related themes, thereby attempting to confer a veneer of legitimacy. Among the numerous internet hosting providers widely utilized, Quickpacket, Routerhosting, and Hostwinds stand out as notable examples.
The overlap between the two attacks is striking: both utilised a malicious macOS dropper app, “Danger elements for Bitcoin’s value decline are rising (2024).app”, to deliver and execute TodoSwift.
Uncertainty surrounds the motivations behind the risk actors’ recent tactics changes, potentially linked to the publication of findings. According to Stokes, North Korean actors stand out for their creative, adaptable, and experience-driven approach to their actions; therefore, it’s entirely plausible that we’re witnessing novel, successful strategies emerging from their cyberprogram.
Another concerning aspect of the BlueNoroff marketing campaign is the group’s ability to infiltrate and hijack genuine Apple developer accounts, thereby exploiting the platform’s trusted infrastructure to distribute malicious software that has been notarized by Apple.
“In recent 12 months, North Korean cyber operatives have launched a series of targeted attacks against the cryptocurrency sector, utilizing social media platforms for thorough reconnaissance and exploitation.”
While the “Hidden Danger” marketing campaign departs from this approach by adopting a more conventional and simplistic email phishing tactic – albeit not necessarily less effective. Despite the initial roughness of the infiltration approach, distinct hallmarks of previous North Korea-backed operations are palpable.
As part of a broader strategy, North Korean hackers have launched multiple campaigns targeting Western companies to recruit employees and deploy malware through compromised codebases and conference tools, masquerading as hiring opportunities or tasks.
Dubbed “UNC5267” and “CL-STA-0240, aka Tenacious Pungan,” this pair of malware strains has been linked to the notorious Chollima risk group, also known as Well-known.
ESET, having dubbed it “Contagious Interview,” classifies this as a novel Lazarus Group campaign targeting freelance developers worldwide for cryptocurrency heists.
North Korean threat actors have demonstrated their adaptability by launching “Contagious Interview” and “Wagemole” campaigns that not only pilfer intellectual property but also facilitate job placements in Western countries while circumventing financial sanctions, notes Zscaler ThreatLabz researcher Seongsu Park.
“With sophisticated techniques for concealing malicious activity, seamless cross-platform functionality, and alarming instances of intellectual property theft, these cyberattacks underscore the escalating threat to both corporate and personal interests.”
