North Korean Hackers Target Mac Users With Infected Crypto Apps

JAKARTA Cybersecurity researchers have uncovered a new strategy of North Korean hackers targeting macOS device users through malware-infected crypto apps. The latest report from Jamf Threat Labs reveals that the hackers used a popular application development tool, Flutter, to hide malicious codes in macOS apps that seem secure.

In its investigation, Jamf Threat Labs found that hackers disguised malware in an app that looked like a simple game called the New Updates in Crypto Exchange. With a view tricking users, the app is designed using Flutter, a tool that allows developers to create cross-platform applications. However, the unique Flutter settings also allow hackers to hide malicious code that is difficult to detect.

In this application, malicious codes are stored in dylib format or dylib dynamic library, which is then loaded by a Flutter machine when the app is running. This unusual code structure makes malware difficult to detect by standard security systems, allowing applications to bypass various layers of security checks.

Programming Cross Malware Variant

In addition to Flutter-based applications, North Korean hackers are also developing two other malware variants compiled using Go and Python programming languages. These three variants have the same method, namely connecting to external servers that are thought to be managed by North Korea. Once connected, the server provides additional commands that allow hackers to remotely control victims' devices.

Python-based variants, for example, pretend to be simple notepad applications. The app is connected to domains associated with North Korean cyber activity, allowing hackers to download and execute malicious scripts on victims' devices. In fact, one of the malicious scripts is written upside down to trick security detection.

One of the biggest threats from this malware is its ability to use AppleScript, an automation tool in macOS, which allows hackers to remotely follow orders. This malware can control victims' devices, including accessing sensitive data, installing malicious software, and recording user activity.

AppleScript's ability to control tasks on the device makes this technique dangerous, especially as scripts can manipulate devices without the user's knowledge.

The researchers warned that until now, there has been no indication this application was used in direct attacks on users. However, looking at North Korea's history of frequently targeting the financial sector, crypto-related applications appear to be potential targets.

Here are some of the suggested preventive measures to protect yourself from the threat of malware:

Download Apps from the Mac App Store or Trusted DeveloperMac App Store have a strict security review process, making it safer to download apps from unknown sources. If possible, download apps only from the Mac App Store or developers that have been identified by Apple.

Enable macOS Convex Security Settings By default, macOS only allows app downloads from Mac App Stores and trusted developers. Users can check this setting in the Privacy & Security section of the Settings app.

Update macOS and Apps Periodically Apple regularly releases security updates for macOS and its official apps. By updating the device regularly, users can protect themselves from new vulnerabilities that hackers might take advantage of.

Be Careful With Apps Related to Crypto Applications That promise quick or looking too good profits to be trusted often contain hidden risks. Make sure to check the reputation of the application and user reviews before downloading them.

The threat of cyberattacks from North Korea is a warning to all users of Apple devices to be more vigilant in managing downloaded applications, especially in the financial and crypto sectors which are often the main targets of global hacking.