A recent deep dive by Christopher Lopez, Senior macOS Security Researcher at Kandji, has exposed a sophisticated cyber-espionage campaign linked to North Korean threat actors. The malware, disguised as fake job interview applications, is being used to steal sensitive user data, including passwords, from macOS users. Dubbed ‘DriverEasy’ and ‘ChromeUpdate’, these malicious apps exploit social engineering tactics to compromise their victims.
North Korean cyber actors have been impersonating legitimate recruiters, presenting fake job opportunities to lure their targets. These phishing attempts include malicious Swift-based macOS applications designed to trick users into entering their credentials.
Among the malicious applications uncovered is DriverEasy.app, an application written in Swift/Objective-C that masquerades as a Google Chrome-related tool. This malware uses social engineering to steal users’ credentials by displaying deceptive prompts.
“This application called DriverEasy.app is written in Swift/Objective-C and is designed to capture a user’s password while pretending to be a Google application,” Christopher explains.
The malware tricks users by displaying fake authentication requests, capturing credentials, and sending them to a Dropbox account controlled by the attackers.
“Once this application captures the user’s password, it communicates with Dropbox via Dropbox APIs to upload the captured password,” the researcher notes.
Lopez’s analysis also linked DriverEasy to other DPRK-attributed macOS malware, including ChromeUpdate and CameraAccess. All three apps employ similar techniques to exfiltrate sensitive data.
How the Malware Works
- Fake Prompt Displays: The malware mimics Google Chrome authentication pop-ups, requesting users’ credentials.
- Password Capture: Captured credentials are stored and prepared for exfiltration to Dropbox.
- IP Query & Dropbox API Communication: The malware queries the victim’s public IP and sends credentials via Dropbox OAuth APIs.
“The URL https://api.ipify.org is initialized. This can be used to query for the public IP address of a system,” reads the report.
Once the credentials are captured, the malware uploads them to Dropbox: “The password data that was captured at the start of this analysis would then be uploaded to Dropbox.”
Through code analysis, Lopez confirmed that DriverEasy, ChromeUpdate, and CameraAccess share the same Dropbox API credentials, further cementing their ties to North Korean cyber-espionage campaigns.
“Comparing the values that are used by both of these applications to upload the user’s password to Dropbox, we can confidently say that they are related and leverage the same Dropbox refresh token, client_id, and client_secret,”
For a full technical breakdown, visit Kandji’s research blog.
Related Posts:
- Dropbox security incident: hackers accessed to 130 GitHub source code repositories
- Dropbox Sign Data Breach: What You Need to Know and How to Protect Yourself
