1inch-analysis.app — A DPRK Trojan Horse
Contents
# `1inch-analysis.app` — A DPRK Trojan Horse
> [!IMPORTANT]
> This analysis is based on the information available at the time of the investigation. Unfortunately, the original payload URLs were removed before the primary analysis. Therefore, a direct inspection of the actual malicious files was not possible. Hence, the analysis may be incomplete due to missing information about the payload.
This analysis delves into the malicious DPRK-built macOS application bundle, `1inch-analysis.app`, which [targeted Anton Bukov](https://x.com/k06a/status/1904884377357627621) from 1inch. The attack was executed by the fake security researcher [Nick L. Franklin](https://x.com/tanuki42_/status/1905003045433290940). This incident, which is part of a broader deception and exploitation attempt, can be attributed with high confidence to the [AppleJeus/Citrine Sleet/UNC4736](https://github.com/tayvano/lazarus-bluenoroff-research#-applejeus--citrine-sleet) DPRK team.
**Always be paranoid!**
### Directory Structure of `1inch-analysis.app`
```ml
1inch-analysis.app
└── Contents
├── Info.plist
├── PkgInfo
├── MacOS
│ └── ShelfAI (* this binary interacts with `main.jsbundle` *)
├── Resources
│ ├── AppIcon.icns
│ ├── Assets.car
│ ├── main.jsbundle (* this file will become important! *)
│ ├── main.txt
│ ├── ShelfAI.entitlements
│ ├── AccessibilityResources.bundle
│ │ …
> [!IMPORTANT]
> This analysis is based on the information available at the time of the investigation. Unfortunately, the original payload URLs were removed before the primary analysis. Therefore, a direct inspection of the actual malicious files was not possible. Hence, the analysis may be incomplete due to missing information about the payload.
This analysis delves into the malicious DPRK-built macOS application bundle, `1inch-analysis.app`, which [targeted Anton Bukov](https://x.com/k06a/status/1904884377357627621) from 1inch. The attack was executed by the fake security researcher [Nick L. Franklin](https://x.com/tanuki42_/status/1905003045433290940). This incident, which is part of a broader deception and exploitation attempt, can be attributed with high confidence to the [AppleJeus/Citrine Sleet/UNC4736](https://github.com/tayvano/lazarus-bluenoroff-research#-applejeus--citrine-sleet) DPRK team.
**Always be paranoid!**
### Directory Structure of `1inch-analysis.app`
```ml
1inch-analysis.app
└── Contents
├── Info.plist
├── PkgInfo
├── MacOS
│ └── ShelfAI (* this binary interacts with `main.jsbundle` *)
├── Resources
│ ├── AppIcon.icns
│ ├── Assets.car
│ ├── main.jsbundle (* this file will become important! *)
│ ├── main.txt
│ ├── ShelfAI.entitlements
│ ├── AccessibilityResources.bundle
│ │ …
IoC
BACC6033221E91E5F14585574E8AABC0
C6777D3FEE8540002B9CF4C1DF8B809FD5C316B7FF7805D3F41BD7DE73147F0D
9D116E406F081C0FC6B1CF2C5F1A993CE2981032
c6777d3fee8540002b9cf4c1df8b809fd5c316b7ff7805d3f41bd7de73147f0d
EE42E36FC2A430E6B254FD7D6C98929DF753BF4B3D10E5EDF8BB322BCDA399F7
563A67F8BB12F1BCE73B550B0D89EA647830528D
ee42e36fc2a430e6b254fd7d6c98929df753bf4b3d10e5edf8bb322bcda399f7
F67AE16FA55346F5F0114EC7471C63A9
C6777D3FEE8540002B9CF4C1DF8B809FD5C316B7FF7805D3F41BD7DE73147F0D
9D116E406F081C0FC6B1CF2C5F1A993CE2981032
c6777d3fee8540002b9cf4c1df8b809fd5c316b7ff7805d3f41bd7de73147f0d
EE42E36FC2A430E6B254FD7D6C98929DF753BF4B3D10E5EDF8BB322BCDA399F7
563A67F8BB12F1BCE73B550B0D89EA647830528D
ee42e36fc2a430e6b254fd7d6c98929df753bf4b3d10e5edf8bb322bcda399f7
F67AE16FA55346F5F0114EC7471C63A9