Unstoppable NimDoor Malware: MacOS Crypto-Theft Threat Revives Itself
North Korean Hackers Deploy NimDoor: A New macOS Malware Targeting Cryptocurrency
Introduction to NimDoor Malware
Recent investigations have unveiled a sophisticated new malware strain named NimDoor, attributed to North Korean state-sponsored hackers. This malware specifically targets organizations involved in web3 and cryptocurrency sectors, showcasing advanced techniques and a unique persistence mechanism.
Attack Methodology
Cybersecurity experts have traced the attack’s origin to communications via Telegram, where victims are enticed into executing a fraudulent Zoom SDK update. This malicious update is delivered through platforms like Calendly and email, mirroring tactics previously associated with the BlueNoroff group, as noted by the Huntress managed security platform.
Technical Insights into NimDoor
A report from SentinelOne highlights that the malware employs C++ and binaries compiled with Nim, marking a distinctive approach for macOS threats. The initial setup is managed by a binary known as ‘installer,’ which prepares the system by creating necessary directories and configuration paths. This binary also deploys two additional components, ‘GoogIe LLC’ and ‘CoreKitAgent,’ onto the compromised machine.
Functionality of the Components
The ‘GoogIe LLC’ binary is tasked with gathering environmental data and generating a hex-encoded configuration file, which it saves in a temporary directory. It establishes a macOS LaunchAgent to ensure persistence, allowing it to restart upon user login and store authentication keys for future use.
The ‘CoreKitAgent’ serves as the primary payload of the NimDoor framework. This component operates as an event-driven binary, utilizing macOS’s kqueue mechanism for asynchronous execution management. It features a state machine with a hardcoded transition table, enabling dynamic control flow based on real-time conditions.
Unique Persistence Mechanisms
One of the standout characteristics of this malware is its signal-based persistence. The ‘CoreKitAgent’ registers custom handlers for termination signals like SIGINT and SIGTERM. When these signals are detected, it initiates a reinstallation process, effectively restoring the malware’s components and ensuring its continued presence on the system.
SentinelLABS elaborates that this behavior guarantees that any attempts by users to terminate the malware will trigger a redeployment of its core elements, making it resilient against basic defensive measures.
Data Exfiltration Techniques
The ‘CoreKitAgent’ also decodes and executes a hex-encoded AppleScript that communicates with the attacker’s infrastructure every 30 seconds. This script is capable of exfiltrating system information and executing remote commands, functioning as a lightweight backdoor.
In parallel, another script named ‘zoom_sdk_support.scpt’ activates a secondary injection chain that includes ‘trojan1_arm64.’ This component establishes WebSocket-based command and control communications and downloads two additional scripts, ‘upl’ and ‘tlgrm,’ designed for data theft.
Targeted Data Extraction
The ‘upl’ script is engineered to extract sensitive information from web browsers, as well as from the Keychain and user history files. It utilizes curl to transmit this data to a designated external server. Meanwhile, the ‘tlgrm’ script focuses on stealing the Telegram database and associated encryption keys, likely to decrypt messages exchanged by the target.
Conclusion: The Evolving Threat Landscape
The NimDoor framework represents one of the most intricate families of macOS malware linked to North Korean cyber actors. Its modular design and innovative techniques, such as signal-based persistence, indicate a significant evolution in the tactics employed by these threat actors, enhancing their cross-platform capabilities.
SentinelLABS’ report provides detailed indicators of compromise, including domains, file paths, scripts, and binaries utilized in these attacks aimed at pilfering cryptocurrency assets and sensitive information. As cyber threats continue to evolve, vigilance and proactive security measures remain essential for organizations in the cryptocurrency space.
