North Korean hackers are deploying a new strain of malware, dubbed ‘NimDoor’, specifically targeting Apple devices as part of an escalating cyberattack campaign against cryptocurrency companies, according to a report released by cybersecurity firm Sentinel Labs. This development marks a significant shift, as the attackers leverage an unusual programming language to evade detection and exploit the growing perception that Mac computers are less vulnerable to such threats.
The attack vector begins with sophisticated social engineering. According to the Sentinel Labs report, attackers impersonate trusted contacts on messaging applications like Telegram. They then initiate a seemingly legitimate Google Meet link for a fake Zoom meeting, subsequently instructing the victim to download what appears to be a Zoom update file.
On Mac computers
“Once the ‘update’ is executed, the payload installs malware called ‘NimDoor’ on Mac computers, which then targets crypto wallets and browser passwords,” stated the Sentinel Labs report.
A key element making NimDoor particularly challenging for security software is its development in Nim, an uncommon programming language. “Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice,” the Sentinel Labs researchers commented in their report. They further noted that Nim’s ability to compile code quickly, create standalone executable files, and its inherent difficulty to detect make it an attractive tool for cybercriminals.
Go and Rust
North Korean-aligned threat actors have previously experimented with programming languages like Go and Rust. However, Sentinel Labs researchers emphasize that Nim offers distinct advantages for their operations. The malware payload is designed as a credential-stealer, engineered to “silently extract browser and system-level information, package it, and exfiltrate it.” Additionally, it includes a script capable of stealing Telegram’s encrypted local database and decryption keys. To further evade detection, the malware employs a “smart timing” mechanism, waiting ten minutes before activating.
This recent activity aligns with broader trends observed in the cybersecurity landscape. In June, cybersecurity solutions provider Huntress reported similar malware incursions linked to the hacking group “BlueNoroff.” Huntress researchers highlighted that their observed malware could bypass Apple’s memory protections to inject its payload, performing functions like keylogging, screen recording, and clipboard retrieval. It also contained a “full-featured infostealer” called CryptoBot, specifically designed to penetrate browser extensions and seek out crypto wallet plugins.
SlowMist issues warning
Echoing these concerns, blockchain security firm SlowMist issued a warning this week about a “massive malicious campaign” involving dozens of fake Firefox extensions engineered to steal cryptocurrency wallet credentials.
Apple’s macOS
The increasing focus on Apple’s macOS by state-sponsored threat actors debunks the long-held belief that Mac computers are inherently more secure. “Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” concluded Sentinel Labs researchers in their report, underscoring the critical need for heightened cybersecurity measures across all platforms, including macOS.
