SentinelLabs has revealed a new cyber threat targeting macOS devices, originating from North Korean hackers. The attack, dubbed NimDoor, employs the Nim programming language for complex hacking methods.
How the Attack is Executed
According to SentinelLabs' report, the NimDoor attack begins by impersonating a trusted contact, leading to a meeting scheduled via Calendly. The victim receives an email suggesting an update for Zoom, which contains a script with malicious code that downloads two macOS binaries and initiates two independent execution chains. The first chain gathers general system information, while the second ensures long-term access for the attacker.
The attack continues with the installation of two Bash scripts, one collecting information from popular browsers, and the other extracting encrypted data from Telegram, which is then sent to a controlled server.
Financial Flows
ZachXBT, a known blockchain investigator, has uncovered substantial financial transfers to DPRK developers working on various projects. Since the start of the year, approximately $2.76 million in equivalent USDC has been sent to addresses linked to these workers. Some of these addresses may be associated with a suspected individual blacklisted by Tether in 2023. Zach cautions that the presence of North Korean IT workers may indicate potential risks for startups.
Conclusion
The NimDoor attack highlights the growing threats to macOS devices, particularly in the context of Web3 and crypto projects. The complexity of the attacking methodologies and related financial flows make this situation significant for user safety. Experts urge attention to potential vulnerabilities associated with hiring workers from North Korea.
In conclusion, the new research from SentinelLabs sheds light on the intricate and dangerous attacks that could threaten the security of businesses and users in today's digital ecosystem.
