NimDoor Malware

Cybersecurity professionals have uncovered a new and stealthy macOS malware family dubbed NimDoor, which poses a serious threat due to its advanced persistence techniques, stealthy data theft mechanisms, and sophisticated evasion capabilities. This malicious campaign is attributed to North Korean-aligned threat actors targeting the Web3 and cryptocurrency sectors.

North Korean Hackers Pivot to Nim and macOS

Threat actors suspected to be linked to North Korea are now leveraging the Nim programming language in their malware arsenal. This marks an ongoing evolution in their toolkit, with previous campaigns utilizing languages like Go and Rust. The new use of Nim shows an intent to innovate, especially in crafting cross-platform threats that are difficult to detect and analyze.

In this campaign, the attackers specifically go after Web3 and cryptocurrency-focused organizations, suggesting a financially motivated operation with an interest in disrupting or infiltrating digital finance infrastructure.

Highly Unusual macOS Techniques

What makes NimDoor particularly concerning is its unconventional approach to macOS infection. Most notably, it uses:

• Process injection, a rare technique for macOS malware, allowing the threat to hijack and manipulate legitimate processes.
• WSS (WebSocket Secure) communication channels for encrypted C2 interactions.
• A novel persistence method that leverages SIGINT and SIGTERM signal handlers, allowing the malware to reinstall itself when terminated or upon system reboot.

These features enable it to maintain a low profile and remain resilient against common user or system-initiated disruptions.

Social Engineering-Fueled Attack Chain

The attack begins with a social engineering strategy:

• Victims are contacted via platforms like Telegram and lured into scheduling a Zoom meeting using Calendly.
• They receive a fake email with a Zoom SDK update script, purportedly to ensure compatibility with the videoconferencing software.

This leads to the execution of a malicious AppleScript, which downloads a second-stage script from a remote server while redirecting the user to a legitimate Zoom link. The second-stage script extracts ZIP archives containing:

• Binaries for establishing persistence
• Bash scripts for stealing system data

The Role of InjectWithDyldArm64

At the heart of the infection process is a C++ loader known as InjectWithDyldArm64, or simply InjectWithDyld. This component is crucial for deploying the malware effectively and covertly. It begins by decrypting two embedded binaries, one named 'Target' and the other 'trojan1_arm64.' After decryption, it proceeds to launch the Target process in a suspended state. With the process paused, the loader injects the trojan1_arm64 binary into it and then resumes execution. This method allows the malicious payloads to be delivered and activated in a highly stealthy manner, bypassing standard system defenses and minimizing the chance of detection.

Credential Theft and System Surveillance

Once active, the malware establishes a connection with a remote Command-and-Control (C2) server, allowing it to carry out several malicious operations. These include collecting detailed system information, executing arbitrary commands issued remotely, navigating through different directories, and transmitting the results of these actions back to the attacker.

The threat escalates with the involvement of the trojan1_arm64 component, which enhances the attack by retrieving two more payloads from the C2 infrastructure. These payloads are crafted specifically to harvest sensitive information. Their primary targets are login credentials stored in widely used web browsers - Arc, Brave, Chrome, Edge, and Firefox, as well as user data from the Telegram messaging application.

Persistence Mechanisms

Beyond its primary components, the malware also deploys Nim-based executables that activate a module known as CoreKitAgent. This module plays a critical role in ensuring the malware's resilience by monitoring for any attempts to terminate its operation. To maintain its presence, it installs custom signal handlers for SIGINT and SIGTERM, allowing it to automatically relaunch if a user or security tool tries to shut it down. This built-in mechanism significantly strengthens the malware's persistence.

The attackers also make extensive use of AppleScript, leveraging it not only during the initial infection phase but also throughout the malware's operation for ongoing monitoring and control. Through this scripting capability, the malware sends out periodic beacons every 30 seconds to hard-coded C2 servers, exfiltrates details about currently running processes, and carries out new commands issued by the remote threat actor.

Why Nim Makes Malware More Dangerous

The use of the Nim programming language gives the attackers notable advantages. Nim's ability to execute functions at compile time allows them to:

• Embed complex logic that's difficult to detect
• Obfuscate control flow within binaries
• Intermingle developer and runtime code, making analysis significantly harder

This leads to compact, high-functioning binaries with reduced visibility to traditional malware detection engines.

NimDoor is a stark reminder that macOS is no longer immune to advanced persistent threats. With North Korean actors now targeting this platform using evolving techniques and lesser-known programming languages, staying informed and vigilant is more critical than ever.