North Korean threat actor BlueNoroff has been targeting crypto-related businesses with a new multi-stage malware for macOS systems.
Researchers are calling the campaign Hidden Risk and say that it lures victims with emails that share fake news about the latest activity in the cryptocurrency sector.
The malware deployed in these attacks relies on a novel persistence mechanism on macOS that does not trigger any alerts on the latest versions of the operating system, thus evading detection.
BlueNoroff is known for cryptocurrency thefts and has targeted macOS in the past using a payload malware called 'ObjCShellz' to open remote shells on compromised Macs.
Infection chain
The attacks start with a phishing email containing crypto-related news and subjects, made to appear as if forwarded by a cryptocurrency influencer to add credibility.
The message comes with a link supposedly to read a PDF relating to the piece of information, but points to the "delphidigital[.]org" domain controlled by the attackers.
According to SentinelLabs researchers, the "URL currently serves a benign form of the Bitcoin ETF document with titles that differ over time" but sometimes it serves the first stage of a malicious application bundle that is called ‘Hidden Risk Behind New Surge of Bitcoin Price.app’.
The researchers say that for the Hidden Risk campaign the threat actor used a copy of a genuine academic paper from the University of Texas.
The first stage is a dropper app signed and notarized using a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has now revoked.
When executed, the dropper downloads a decoy PDF from a Google Drive link and opens it in the default PDF viewer to distract the victim. In the background, though, the next stage payload is downloaded from "matuaner[.]com."
Notably, the hackers have manipulated the app's 'Info. plist' file to allow insecure HTTP connections to the attacker-controlled domain, essentially overriding Apple's App Transport Security policies.
Main backdoor and new persistence mechanism
The second-stage payload, called "growth," is an x86_64 Mach-O binary runs only on Intel and Apple silicon devices that have the Rosetta emulation framework.
It achieves persistence on the system by modifying the ".zshenv" configuration file, which is hidden in the user's home directory and loads during Zsh sessions.
The malware installs a hidden "touch file" in the /tmp/ directory to mark successful infection and persistence, ensuring the payload remains active across reboots and user sessions.
This method makes it possible to bypass persistence detection systems Apple introduced in macOS 13 and later, which alert users via notifications when LaunchAgents are installed on their system.
"Infecting the host with a malicious Zshenv file allows for a more powerful form of persistence," explains SentinelLabs.
"While this technique is not unknown, it is the first time we have observed it used in the wild by malware authors."
Once nested in the system, the backdoor connects with the command-and-control (C2) server, checking for new commands every 60 seconds. The user-agent string used for this has been seen previously in attacks in 2023 attributed to BlueNoroff.
The observed commands are for downloading and executing additional payloads, running shell commands to manipulate or exfiltrate files, or exit (stop the process).
SentinelLabs says the "Hidden Risk" campaign has been running for the last 12 months or so, following a more direct phishing approach that does not involve the typical "grooming" on social media that other DPRK hackers engage in.
The researchers also note that BlueNoroff has shown a consistent capability to source new Apple developer accounts and get their payloads notarized to bypass macOS Gatekeeper.