Analysis Summary

The Hidden Risk campaign, attributed to North Korean threat actor group BlueNoroff (also known as APT38), targets cryptocurrency businesses with multi-stage malware that infects Apple macOS devices.

This operation involves sophisticated social engineering tactics, where attackers impersonate news reports about cryptocurrency trends to lure victims into opening malicious applications disguised as PDF files. Once launched the application downloads a decoy PDF from Google Drive and retrieves a backdoor that enables remote access. This malware uses a novel persistence mechanism leveraging the macOS zshenv configuration file to avoid detection by Apple’s background activity notifications in macOS Ventura.

The researchers show the adaptability of North Korean actors. The attackers use email phishing with fake cryptocurrency news headlines and exploit legitimate infrastructure such as Namecheap for domain registration and hosting providers like Quickpacket and Hostwinds. In October 2024, a phishing attempt was detected with a dropper app “Hidden Risk Behind New Surge of Bitcoin Price.app,” signed with an Apple Developer ID which Apple has since revoked. The malware is designed to bypass traditional detection methods and this shift towards simpler phishing tactics contrasts with BlueNoroff’s previous campaign which involved prolonged social engineering and “grooming” on social media.

In addition to BlueNoroff’s campaign, North Korean threat actors actively pursue job opportunities in Western firms, employing tactics like social engineering through fake job offers and malware-laden assignments. The Famous Chollima threat group, operating under aliases Wagemole and Contagious Interview, has been targeting developers worldwide through malware-infected codebases and conferencing tools. This recent activity named DeceptiveDevelopment by researchers has been tied to the Lazarus Group which has a well-known history of cryptocurrency theft and corporate infiltration.

These campaigns illustrate North Korea’s increasingly varied and persistent efforts to acquire funds from the cryptocurrency sector, bypassing financial sanctions. The Hidden Risk campaign and similar operations reflect a high level of technical sophistication with carefully constructed lures multi-platform malware, and effective evasion techniques. As North Korean cyber actors evolve their tactics remain dynamic, targeting businesses and individuals across platforms while engaging in prolonged covert operations for monetary gain.

Impact

• Sensitive Data Theft
• Cyber Espionage
• Financial Loss
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• cmt.ventures
• maelstromfund.org
• meet.selinicapital.online
• www.panda95sg.asia
• analysis.arkinvst.com
• appleaccess.pro
• atajerefoods.com
• buy2x.com

IP

• 45.61.140.26
• 23.254.253.75
• 45.61.128.122
• 45.61.135.105
• 144.172.74.23
• 144.172.74.141
• 172.86.108.47
• 216.107.136.10

MD5

• 529fe6eff1cf452680976087e2250c02

SHA-256

• bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053

SHA1

• 7e07765bf8ee2d0b2233039623016d6dfb610a6d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their systems and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.