North Korean Threat Actors Deploy Hidden Risk Malware on macOS to Target Crypto Firms – Active IOCs
Contents
Bitter APT – Active IOCs
November 8, 2024North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 8, 2024Bitter APT – Active IOCs
November 8, 2024North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 8, 2024Severity
High
Analysis Summary
The Hidden Risk campaign, attributed to North Korean threat actor group BlueNoroff (also known as APT38), targets cryptocurrency businesses with multi-stage malware that infects Apple macOS devices.
This operation involves sophisticated social engineering tactics, where attackers impersonate news reports about cryptocurrency trends to lure victims into opening malicious applications disguised as PDF files. Once launched the application downloads a decoy PDF from Google Drive and retrieves a backdoor that enables remote access. This malware uses a novel persistence mechanism leveraging the macOS zshenv configuration file to avoid detection by Apple’s background activity notifications in macOS Ventura.
The researchers show the adaptability of North Korean actors. The attackers use email phishing with fake cryptocurrency news headlines and exploit …
November 8, 2024North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 8, 2024Bitter APT – Active IOCs
November 8, 2024North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 8, 2024Severity
High
Analysis Summary
The Hidden Risk campaign, attributed to North Korean threat actor group BlueNoroff (also known as APT38), targets cryptocurrency businesses with multi-stage malware that infects Apple macOS devices.
This operation involves sophisticated social engineering tactics, where attackers impersonate news reports about cryptocurrency trends to lure victims into opening malicious applications disguised as PDF files. Once launched the application downloads a decoy PDF from Google Drive and retrieves a backdoor that enables remote access. This malware uses a novel persistence mechanism leveraging the macOS zshenv configuration file to avoid detection by Apple’s background activity notifications in macOS Ventura.
The researchers show the adaptability of North Korean actors. The attackers use email phishing with fake cryptocurrency news headlines and exploit …
IoC
144.172.74.141
7e07765bf8ee2d0b2233039623016d6dfb610a6d
45.61.128.122
45.61.140.26
172.86.108.47
bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053
529fe6eff1cf452680976087e2250c02
144.172.74.23
45.61.135.105
23.254.253.75
216.107.136.10
7e07765bf8ee2d0b2233039623016d6dfb610a6d
45.61.128.122
45.61.140.26
172.86.108.47
bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053
529fe6eff1cf452680976087e2250c02
144.172.74.23
45.61.135.105
23.254.253.75
216.107.136.10