Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

BlueNoroff Hidden Risk - Threat actor targets Macs with fake crypto news and novel persistence

November 2024 by SentinelLabs

SentinelLabs has observed a suspected North Korean threat actor targeting crypto-related businesses with novel multi-stage malware. It assesses with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.

Cryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets.

In October 2024, SentinelLabs observed a phishing attempt on a crypto-related industry that delivered a dropper application and a payload bearing many of the hallmarks of these previous attacks. The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics. SentinelLabs dubbed this campaign ‘Hidden Risk’.

Initial infection is achieved via phishing email containing a link to a malicious application. The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”.

The emails hijack the name of a real person in an unrelated industry as a sender and purport to be forwarding a message from a well-known crypto social media influencer. In the case of the ‘Hidden Risk’ pdf, the threat actors copied a genuine research paper entitled ‘Bitcoin ETF: Opportunities and risk’ by an academic associated with the University of Texas and hosted online by the International Journal of Science and Research Archive (IJSRA).
Unlike earlier campaigns attributed to BlueNoroff, the Hidden Risk campaign uses an unsophisticated phishing email that does not engage the recipient with contextually relevant content, such as reference to personal or work-related information.

Also of note is that the sender domain in our observed incident, kalpadvisory[.]com, has been noted for spamming among online communities involved in the Indian stock market.

Conclusion
Over the last 12 months or so, North Korean (DPRK) cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ’grooming’ of targets via social media. SentinelLabs observes that the Hidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any less effective, email phishing approach.
Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident, both in terms of observed malware artifacts and associated network infrastructure.
Researchers might speculate that heightened attention on previous DRPK campaigns could have reduced the effectiveness of previous ’social media grooming’ attempts, perhaps as a result of intended targets in DeFi, ETF and other crypto-related industries becoming more wary, but it is equally likely that such state-backed threat actors have sufficient resources to pursue multiple strategies simultaneously.
One factor that is relatively consistent throughout many of these campaigns is that the threat actors are seemingly able to acquire or hijack valid Apple ’identified developer’ accounts at will, have their malware notarised by Apple, and bypass macOS Gatekeeper and other built-in Apple security technologies. In light of this and the general increase in macOS crimeware observed across the security industry, all macOS users, but particularly those in organisational settings, are encouraged to harden their security and increase their awareness of potential risks.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts