BlueNoroff’s New MacOS Threat: “Hidden Risk” Targets Crypto Enthusiasts

by do son · November 10, 2024

In a disturbing revelation from SentinelLabs, North Korean-affiliated threat actors, suspected to be linked to the notorious BlueNoroff APT, are actively targeting cryptocurrency businesses and macOS users. Dubbed the ‘Hidden Risk‘ campaign, this attack delivers malware through fake cryptocurrency news, presenting a severe risk to macOS users in the crypto space.

The initial infection vector is a classic phishing email, using catchy cryptocurrency news headlines like “Hidden Risk Behind New Surge of Bitcoin Price” and “Altcoin Season 2.0-The Hidden Gems to Watch” to bait recipients into downloading a disguised application file. As SentinelOne explains, this phishing attempt “does not engage the recipient with contextually-relevant content,” making them less sophisticated than previous campaigns. However, the messages are convincing enough to prompt users to open the file, which is falsely presented as a PDF document

The fake PDF displayed to targets (left) and the original source document hosted online (right) | Image: SentinelOne

The standout element of the “Hidden Risk” campaign is its novel use of the Zsh configuration file, zshenv, to establish persistence on infected systems. SentinelOne states that “abusing Zshenv does not trigger such a notification in current versions of macOS,” thus allowing the malware to persist undetected. This approach deviates from previous techniques used by BlueNoroff, which had relied on zshrc, a less consistent method of maintaining persistence.

The attack is a two-stage process. Once the initial malicious application is installed, it downloads a backdoor component called “growth,” which acts as a command-and-control agent for the threat actor. SentinelOne notes that “the backdoor’s operation is functionally similar to previous malware attributed to this threat actor,” designed to receive and execute commands on the infected system. This dual-architecture dropper can execute on both Intel and Apple Silicon Macs, making it highly adaptable.

In addition to the malware, SentinelOne’s analysis of the infrastructure reveals a network of malicious domains that the attackers use to manage their operations. These domains, often registered with themes related to cryptocurrency and fintech, are carefully structured to appear legitimate. SentinelOne reports that “virtual server hosting services such as Quickpacket, Routerhosting, Hostwinds, and others are the most commonly used,” adding to BlueNoroff’s extensive infrastructure.

For macOS users, especially those in the cryptocurrency sector, increased vigilance is paramount. SentinelOne emphasizes the need for users to “harden their security and increase their awareness of potential risks,” noting that BlueNoroff’s ability to bypass macOS Gatekeeper and other protections is particularly concerning.