JAMF, a software developer for mobile devices, discovered a new hacker activity. North Korean attackers introduced malicious software in the MacOS applications created using a set of open source tools.
The malicious code was found at the end of October on the Virustotal platform – a popular online tool for file analysis. It is noteworthy that despite the malicious nature of the code, the scanning system defined samples as safe.
Researchers Jamf revealed three versions of harmful software. Two were written in the programming languages Golang and Python, the third on Flutter, a framework, which by default makes the analysis of the code. According to researchers, techniques and domains associated with harmful software have characteristic signs of North Korean hacker attacks. North Korean cyber operations are usually motivated by financial benefits. The discovered campaigns were sent to penetrate the cryptocurrency sector and used infrastructure similar to the one used by the North Korean group Lazarus.
Flutter is a framework with Google’s open source code to create applications under iOS, Android, Linux, MacOS, Windows, and web. Flutter architecture significantly complicates the reverse code analysis. According to JAMF experts, such a feature is not harmful but simplifies the masking of malicious code.
It has not yet been established whether the malicious software has been used in real attacks or to test new methods. At the same time, the code turned out to be complicated enough to bypass the Apple security system that checks the MacOS applications for the presence of malicious software.
Experts found malicious code in the clone of the popular game “Sapere,” copied from the GitHub repository. When starting, the program sent a request to the malicious domain, which was supposed to activate the next phase of the attack. However, by the time of detection, the domain no longer functioned, returning the error 404.
ELASTIC previously reported the use of the same domain in attacks on the MacOS device of blockchain specialists. Communication with North Korea is also confirmed by the fact that the name of the file is found in the GO version of the file, identical to the Sentinelone detected by researchers in another operation against MacOS.