Hidden Risk Malware

A new campaign by the North Korean threat group BlueNoroff is focusing on cryptocurrency businesses, using a sophisticated multi-stage malware targeting macOS systems. Dubbed the Hidden Risk by researchers, the campaign entices victims with emails that contain fabricated news about recent developments in the cryptocurrency market. The malware involved in these attacks employs an innovative persistence technique on macOS, designed to go undetected by the latest system updates, effectively bypassing security alerts.

BlueNoroff is a cybercrime group notorious for cryptocurrency theft and has previously targeted macOS systems. In past attacks, they used a payload known as ObjCShellz, which allowed them to establish remote shells on compromised Macs.

How the Hidden Rusk Infection Chain Is Carried Out

The attack starts with the delivery of a phishing email that appears to contain cryptocurrency-related news, often presented as a forwarded message from a well-known crypto influencer to lend it credibility. The email includes a link, supposedly leading to a PDF with important information, but it actually directs the victim to a domain controlled by the attackers, delphidigital.org.

Researchers have observed that the URL currently hosts a harmless version of a Bitcoin ETF document, with changing titles, though at times it leads to the first stage of an unsafe application bundle titled the Hidden Risk Behind New Surge of Bitcoin Price.app.

For this campaign, the threat actor used a legitimate academic paper from the University of Texas as a disguise. The first stage of the attack involves a dropper application, signed and notarized under a valid Apple Developer ID, 'Avantis Regtech Private Limited (2S8XHJ7948),' which Apple has since revoked.

Once executed, the dropper downloads a decoy PDF from a Google Drive link and opens it in the default PDF viewer to keep the victim distracted. Meanwhile, the next stage of the attack is secretly downloaded from matuaner.com. Notably, the attackers have altered the app's Info.plist file to permit insecure HTTP connections to their domain, effectively bypassing Apple's App Transport Security protocols.

A Novel Persistence Mechanism Exploited by the Hidden Risk

The second-stage payload, named 'growth,' is an x86_64 Mach-O binary that operates on both Intel and the Apple Silicon devices equipped with the Rosetta emulation framework. It ensures persistence by modifying the hidden .zshenv configuration file in the user's home directory, which loads during Zsh sessions.

To confirm successful infection and maintain persistence, the malware creates a concealed 'touch file' in the /tmp/ directory, which helps keep the payload active even after reboots or user logins. This technique allows it to bypass macOS 13 and later’s persistence detection systems, which typically alert users when new LaunchAgents are installed. By infecting the system with a malicious Zshenv file, the malware establishes a stronger form of persistence. Although this method isn't entirely new, it's the first time researchers have seen it employed in live attacks by malware authors.

Once entrenched in the system, the backdoor connects to the Command-and-Control (C2) server, checking for new commands every 60 seconds. The user-agent string it employs has been associated with previous attacks attributed to BlueNoroff in 2023. The commands observed include downloading and executing additional payloads, running shell commands to alter or steal files, or halting the process altogether.

Experts note that the Hidden Risk campaign has been active for the past 12 months, taking a more direct phishing approach rather than the typical social media 'grooming' strategy seen in other North Korean hacker operations. Researchers also point out BlueNoroff's ongoing ability to secure new Apple developer accounts and get their payloads notarized, allowing them to bypass macOS Gatekeeper protections.