Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The attackers found a loophole through open frameworks.
Jamf, a developer of mobile device management software, has discovered new hacker activity. North Korean attackers injected malware into macOS applications built using an open-source toolkit.
The malicious code was found in late October on the VirusTotal platform, a popular online tool for analyzing files. Notably, despite the malicious nature of the code, the scanning system determined the samples to be safe.
Jamf researchers have identified three versions of the malware. Two are written in the Golang and Python programming languages, and the third is written in Flutter, a framework that makes code analysis difficult by default. According to the researchers, the techniques and domains associated with the malware have characteristic signs of North Korean hacker attacks. North Korean cyber operations are usually motivated by financial gain. The detected campaigns were aimed at penetrating the cryptocurrency sector and used infrastructure similar to that used by the North Korean group Lazarus.
Flutter is an open-source framework from Google for building apps for iOS, Android, Linux, macOS, Windows, and the web. Flutter's architecture makes reverse engineering much more difficult. According to Jamf experts, this feature is not malicious, but it simplifies the masking of malicious code.
It has not yet been established whether the malware was used in real attacks or to test new methods. At the same time, the code turned out to be sophisticated enough to bypass Apple's security system, which checks macOS applications for malware.
Experts have found malicious code in a clone of the popular game "Minesweeper", copied from the Github repository. When launched, the application sent a request to a malicious domain that was supposed to trigger the next phase of the attack. However, by the time it was discovered, the domain was no longer functional, returning a 404 error.
Previously, Elastic reported using the same domain in attacks on macOS devices of blockchain specialists. The connection to North Korea also confirms that the Go version of the malware found a file name identical to the one found by SentinelOne researchers in another operation against macOS.
Source
Jamf, a developer of mobile device management software, has discovered new hacker activity. North Korean attackers injected malware into macOS applications built using an open-source toolkit.
The malicious code was found in late October on the VirusTotal platform, a popular online tool for analyzing files. Notably, despite the malicious nature of the code, the scanning system determined the samples to be safe.
Jamf researchers have identified three versions of the malware. Two are written in the Golang and Python programming languages, and the third is written in Flutter, a framework that makes code analysis difficult by default. According to the researchers, the techniques and domains associated with the malware have characteristic signs of North Korean hacker attacks. North Korean cyber operations are usually motivated by financial gain. The detected campaigns were aimed at penetrating the cryptocurrency sector and used infrastructure similar to that used by the North Korean group Lazarus.
Flutter is an open-source framework from Google for building apps for iOS, Android, Linux, macOS, Windows, and the web. Flutter's architecture makes reverse engineering much more difficult. According to Jamf experts, this feature is not malicious, but it simplifies the masking of malicious code.
It has not yet been established whether the malware was used in real attacks or to test new methods. At the same time, the code turned out to be sophisticated enough to bypass Apple's security system, which checks macOS applications for malware.
Experts have found malicious code in a clone of the popular game "Minesweeper", copied from the Github repository. When launched, the application sent a request to a malicious domain that was supposed to trigger the next phase of the attack. However, by the time it was discovered, the domain was no longer functional, returning a 404 error.
Previously, Elastic reported using the same domain in attacks on macOS devices of blockchain specialists. The connection to North Korea also confirms that the Go version of the malware found a file name identical to the one found by SentinelOne researchers in another operation against macOS.
Source
