North Korean Hackers Embed Malware in macOS Flutter Apps, Targets Cryptocurrency Users

In a sophisticated cyber campaign, North Korean hackers have been found targeting macOS systems with malware embedded within Flutter applications, marking a shift in tactics from their usual social engineering ploys to a more technical approach. The discovery, made by Jamf Threat Labs, reveals that the threat actors are using Google's Flutter framework to create deceptive applications that appear legitimate, evading detection and targeting cryptocurrency-related businesses.

The malicious applications, disguised under names like "New Updates in Crypto Exchange" and presenting as games or productivity tools, are crafted in Dart, Flutter's primary language, and bundled into dynamic libraries (dylib files) that are loaded by the Flutter engine at runtime. This approach not only obscures the malicious code but also allows it to bypass typical security measures. One notable app, a seemingly harmless Minesweeper game, was found to connect to a server associated with North Korean actors, capable of executing AppleScript commands received from that server.

The focus on cryptocurrency firms aligns with North Korea's known interest in financial theft, as the applications often lure victims with themes related to cryptocurrencies, Web3, and investments. This campaign, dubbed Hidden Risk by SentinelOne, shares similarities with previous North Korean cyber operations. The goal appears to be stealing cryptocurrency and funding the North Korean regime, with the hackers demonstrating an ability to acquire or hijack valid Apple developer accounts to notarize their malware.

BlueNoroff, a subgroup of the Lazarus Group, is believed to be behind this campaign due to overlaps in infrastructure and techniques. The hackers have employed novel persistence mechanisms, such as modifying the ".zshenv" file in macOS, which helps the malware remain active across reboots and user sessions without triggering notifications introduced in macOS 13 for certain persistence methods like LaunchAgents.

Some of these apps were signed and notarized using legitimate Apple developer IDs, enabling them to pass Apple's security checks temporarily. This not only made the apps appear verified but also allowed them to execute without restrictions on macOS systems. Jamf has since discovered that the signatures have been revoked by Apple, but the campaign appears to be in a testing phase, exploring new methods to bypass macOS security.

To mitigate the risks posed by these sophisticated attacks, users are advised to download apps from the Mac App Store when possible, as apps there undergo security reviews. Additionally, macOS users should ensure their systems and third-party applications are kept up to date to benefit from the latest security patches. Cybersecurity experts also urge users to be vigilant against phishing emails and to practice strong password hygiene, using unique and complex passwords for each site with the help of password managers and enabling Multi-Factor Authentication (MFA) wherever possible.

This new wave of North Korean cyberattacks highlights the ongoing evolution of their tactics, focusing on macOS due to its popularity among cryptocurrency users. The use of Flutter-based malware not only demonstrates their adaptability but also underscores the importance of robust security practices in macOS environments. As these threat actors continue to refine their methods, staying informed and implementing recommended security measures remains critical for protecting against such sophisticated cyber threats.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.  

You may also like these articles: