North Korean Malware Attacks Mac Users In Crypto Industry

A new report by cybersecurity firm SentinelOne highlights a wave of advanced malware attacks targeting cryptocurrency firms, specifically those using macOS devices.

The attacks, attributed to North Korean hackers associated with the “BlueNoroff” group, employ phishing emails and deceptive links to infiltrate corporate systems and steal funds.

Technical evidence linked the campaign to BlueNoroff, a subgroup recently identified by the U.S. Treasury as part of Lazarus, North Korea’s most notorious government-backed hacking group, as reported by The Record.

The BlueNoroff campaign, known as “Hidden Risk,” reportedly began in April 2023 and uses fake cryptocurrency news updates to lure victims.

Malicious applications disguised as PDF documents trick users into downloading malware. These phishing emails often appear to be from reputable sources in the crypto industry, containing links to “reports” that, instead, install a malware application.

Titles like “Hidden Risk Behind New Surge of Bitcoin Price” are crafted to look credible, duping users into opening the files.

SentinelOne’s report highlights an innovative tactic within the campaign: using the “zshenv” file, a hidden macOS system file, to keep the malware persistent. This method allows the malware to evade detection by not triggering typical macOS security alerts.

Once embedded, the malware installs a backdoor, enabling attackers to remotely control infected devices, execute commands, and harvest data.

This campaign aligns with North Korea’s long-standing interest in cryptocurrency as a funding source. In September 2024, the FBI issued warnings about North Korean hackers targeting decentralized finance (DeFi) platforms and crypto firms through phishing.

The “Hidden Risk” campaign underscores the group’s evolving techniques, particularly in targeting macOS vulnerabilities.

SentinelOne’s findings underscore the importance of caution in the crypto industry. Security experts recommend that firms enhance their security protocols, educate employees on phishing threats, and exercise caution when handling unexpected emails or applications.