Nov 27 • Happy Popli

North Korean APT BlueNoroff Targets Crypto Firms with Multi-Stage Malware and Novel Persistence Mechanism

Discover how the BlueNoroff APT group is leveraging multi-stage malware and a unique persistence mechanism to target cryptocurrency firms. Learn about the tactics, techniques, and procedures (TTPs) used in this high-profile campaign and how IT and cybersecurity professionals can defend against similar threats.

A New Cyber Threat Emerges

In a recent cybersecurity report from SentinelLabs, a notorious North Korean-affiliated threat actor, BlueNoroff, has been spotted deploying sophisticated malware to target cryptocurrency firms. The group, known for its financially motivated attacks, has begun using a multi-stage malware campaign to compromise macOS devices. This attack is notable for its novel persistence mechanism and ability to bypass macOS security measures, including Gatekeeper. Let’s break down how this attack works and how IT professionals can bolster their defenses.

Multi-Stage Malware Campaign Explained

The campaign, dubbed ‘Hidden Risk’, starts with a phishing email designed to trick targets into opening a malicious application disguised as a PDF document. This PDF, ostensibly about the latest surge in Bitcoin prices, contains a link to a website hosting the malware. Once the victim clicks the link, the malware is delivered and installed, paving the way for a multi-stage attack that compromises the system and opens a backdoor for further exploitation.

The First Stage: Phishing Email and Initial Infection

The initial infection is triggered by a phishing email with a seemingly innocent link to a cryptocurrency-related PDF. However, the link redirects to a malicious domain, delphidigital[.]org, which serves the first-stage malicious application. The application, titled ‘Hidden Risk Behind New Surge of Bitcoin Price.app’, is signed and notarized by a legitimate Apple Developer ID (though it has since been revoked). Once the app is executed, a decoy PDF is downloaded to mask the malicious activity. At this point, the victim is unaware that their system has been compromised.

The Second Stage: Backdoor Execution

Once the decoy PDF is displayed, the first stage dropper malware downloads and executes a second-stage malware payload. This payload is designed to work on both Intel-based Macs and Apple Silicon devices running the Rosetta emulation framework. The malware creates a backdoor, allowing the attackers to execute remote commands on the infected machine. The SaveAndExec function is particularly concerning, as it enables the attackers to run arbitrary commands and establish further control over the compromised device.

Novel Persistence Technique: Abusing Zshenv File

What sets this attack apart from others is the innovative persistence mechanism employed by the attackers. Rather than relying on traditional methods to maintain access, BlueNoroff abuses the Zshenv configuration file.

Zshenv Configuration File: A Hidden Threat

Zshenv is a configuration file used by the Zsh shell in macOS. By inserting malicious code into this file, the attackers ensure that the malware runs each time a Zsh session is started. This allows them to maintain persistence across reboots, logins, and even non-interactive sessions. The key advantage of this technique is that it does not trigger user notifications on macOS systems, making it harder for users to detect.

This form of persistence is particularly dangerous because it’s difficult for traditional antivirus programs to detect and remove. It is a clever tactic, and while not entirely new, this is the first time it has been seen in the wild as part of a malware campaign targeting macOS users.

How BlueNoroff Bypasses macOS Security

One of the most alarming aspects of this attack is the way BlueNoroff has been able to bypass macOS Gatekeeper, a built-in security feature that prevents unauthorized apps from running. The attackers hijack valid Apple Developer IDs, which allows them to sign and notarize their malicious applications. This technique helps them avoid detection by Gatekeeper, which would otherwise block unsigned or unnotarized apps.

This attack demonstrates a sophisticated understanding of macOS security and how to evade its protections. By using legitimate Apple accounts, the attackers blend in seamlessly with the trusted ecosystem.

Why This Attack is Different

What makes this campaign unique is its divergence from other North Korean-backed attacks in the cryptocurrency sector. While many previous attacks relied on social media grooming and more refined social engineering tactics, this Hidden Risk campaign uses a blunt, yet effective, phishing approach. Despite its straightforward nature, the malware’s impact is no less severe.

How to Protect Against Malware Attacks

For cybersecurity professionals, defending against multi-stage malware campaigns like this requires a multi-layered approach. Below are key steps to enhance your security posture:

1. Email Filtering and Phishing Detection

  • Use advanced email filtering tools to detect phishing attempts.
  • Block links to known malicious domains and monitor suspicious email attachments.

2. MacOS Hardening

  • Ensure that macOS devices are running the latest updates, as Apple continuously patches vulnerabilities.
  • Use Gatekeeper and enable System Integrity Protection (SIP) to prevent unauthorized applications from running.

3. Endpoint Security Tools

  • Deploy endpoint security software that can detect and block malware, especially backdoor threats.
  • Regularly scan systems for unauthorized changes, such as suspicious modifications to configuration files like Zshenv.

4. User Awareness Training

  • Educate employees about the dangers of phishing emails, especially those related to cryptocurrency and finance.
  • Encourage a culture of skepticism, where suspicious emails are reported and investigated before opening.

5. Regular Backups and System Monitoring

  • Keep backups of critical files and data to reduce the impact of a potential malware infection.
  • Implement continuous monitoring of system activity to detect unusual behavior that may indicate malware presence.

Conclusion: The Growing Threat of Cybercrime

The Hidden Risk campaign exemplifies the evolving tactics of cybercriminals, particularly advanced persistent threat (APT) groups like BlueNoroff. As the attack on cryptocurrency firms shows, even macOS users are not immune to targeted malware campaigns. IT and cybersecurity professionals must stay vigilant, continually enhancing their defenses to address new and emerging threats.

Cybersecurity is a constantly evolving landscape, and understanding how advanced malware and persistence techniques work is crucial in safeguarding sensitive data and systems.

 
For more details on protecting your organization from emerging cyber threats, contact us today. Stay ahead of attackers with the latest cybersecurity insights and solutions.