North Korean Hackers Deploy Innovative Malware Targeting macOS

Cybersecurity experts have consistently flagged North Korean hackers for their brazen cyber intrusions, primarily aimed at pilfering funds to support state initiatives and evade international sanctions. Recent research conducted by Jamf has unveiled a sophisticated strain of malware linked to these malicious actors. This particular malware was discovered on VirusTotal, a popular service used for scanning files for malicious content; intriguingly, the malware was initially categorized as “clean.” The malicious software comes in three different versions: one developed in Go, another in Python, and a third utilizing Flutter.

Flutter: A Double-Edged Sword for Developers and Cybercriminals

Flutter, an open-source framework created by Google, enables developers to craft applications for multiple platforms—such as iOS and Android—from a single Dart codebase. This cross-platform utility makes Flutter a valuable asset for legitimate developers, but it also serves as an attractive option for cybercriminals. The inherently complex code structure of Flutter can obscure malware, making it challenging for security systems to detect potential threats.

The Disguised Threat: A Cloned Game

The malware operated under the guise of a banal Minesweeper game, which had been cloned from GitHub. Its malicious intent was concealed within a Dynamic Library (dylib) file, which aimed to establish a connection with a command-and-control (C2) server located at mbupdate.linkpc.net. This domain has previous associations with North Korean malware. Fortunately, when the Jamf team investigated, they found that the server was dormant, only returning a “404 Not Found” error—preventing the attack from materializing.

Deceptive Execution and Potential Dangers

One particularly clever aspect of this malware is its ability to execute AppleScript commands that are sent from the C2 server, employing a unique technique of running them in reverse to evade detection. Jamf’s experimentation confirmed the malware’s capability to remotely execute any AppleScript command—including those that could grant hackers extensive control over infected systems if the attack’s execution had proceeded.

Conclusions and Recommendations

This incident appears to be a preliminary test by the hackers, indicating that they are honing their techniques for evading Apple’s security measures. While Flutter itself is not malicious, its design inherently aids in obscuring harmful code, highlighting a troubling trend in which legitimate development tools are being repurposed for malicious objectives. As cybersecurity threats evolve, it remains imperative for users, especially those in enterprise settings, to stay vigilant and adopt best practices for security.

Source & Images