North Korean Hacker Attack: Disguising Work Finders To Target Mac Users With Malware

Security researchers have identified state-sponsored hackers from North Korea (DPRK) efforts to target Mac users with information-stealing malware through compromised meeting applications.

Once infected, the malware will build a connection between the Mac and the attacker's command and control server (C2) to extract sensitive data such as iCloud Keychain credentials. The malware also secretly installs AnyDesk remote desktop apps and keylogging software in the background to take over the engine and collect keystrokes.

Malware, a new variant of a strain known as BeaverTail, was first reported by MalwareHunterTeam via a post on X. AlthoughEARsTail was previously a JavaScript-based information thief discovered in 2023, now this malware appears to have been changed to target Mac users with a malicious disk image titled MicroTalk.dmg

Security researchers and author Patrick Wardle analyzed this malware in a fairly comprehensive blog post on Objective-See. Wardle found that hackers most likely disguised themselves as job seekers. They deceived victims into downloading what appeared to be MiroTalk's official video conferencing platform, according to the disk image file name MicroTalk.dmg, but it is actually a clone containing hidden malware.

This isn't the first time a report has been about North Korean hackers posing as job seekers to target victims. Unit42 Palo Alto Network recently reported a similar story entitled: "Hacking Employers and Looking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors."

According to Wardle's analysis, the MicroTalk clone containing the malware is not signed or has not been registered with Apple by the identified developer, so macOS Gatekeeper will prevent the app from running. However, users can overcome the block by clicking right and selecting "Open" from the shortcut menu.

Once infected, the malware communicates with the C2 server to download and extract data, including iCloud KeyChain credentials and the popular cryptocurrency wallet browser extension ID, which can be used to steal personal keys and mnemonic phrases.

The most elusive is that when malware was discovered last week, the malware could pass antiviral scanners such as the Total Virus undetected. Cybercriminals will upload their execution files on platforms like the Total Virus to ensure dangerous aspects are well hidden so they are not detected by popular scanners. The shortfall is that "good" parties can also see them.

"Specifically from the symbol output, we see the name of the method (fileUpload, pDownFininised, run) which reveals the exfiltration and download & run capabilities," according to the Objective-See blog post.

"And from the embedded string, we view a large likelihood command & control server address, 95,164.17.24:1224 and also clues about the type of information malware collects for the exfiltration. In particular, the browser extension ID of the popular cryptocurrency wallet, user browser data line, and macOS keychain. Other strings are related to downloads and executions of additional payloads that appear to be malicious python scripts."

This possibility is the work of BlueNoroff, a subgroup of the country's famous cybercrime company Lazarus Group. There are several typical cases of BlueNoroff that often contact potential victims under the guise of investors or company job seekers. If it looks like a duck, swims like a duck, and sounds like a duck, then most likely it is a duck.