North Korean hackers create Flutter apps to bypass macOS security

BLEEPING COMPUTER | Published November 13, 2024

North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.

This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.

The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.

According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on how to bypass macOS security rather than a fully-fledged and highly targeted operation.

Notarized apps connecting to DPRK servers

Starting in November 2024, Jamf discovered multiple apps on VirusTotal that appeared completely innocuous to all AV scans yet showcased “stage one” functionality, connecting to servers associated with North Korean actors.

All apps were built for macOS using Google’s Flutter framework, which enables developers to create natively compiled apps for different operating systems using a single codebase written in the Dart programming language.

“It is not unheard of for actors to embed malware within a Flutter based application, however, this is the first we’ve seen of this attacker using it to go after macOS devices,” explains Jamf researchers Ferdous Saljooki and Jaron Bradley.

 

READ FULL ARTICLE

SOURCE: www.bleepingcomputer.com

RELATED: North Korean-linked hackers were caught experimenting with new macOS malware

Researchers can’t tell if the malware was used in a campaign, or North Korean operatives were caught before they could deploy it in the wild.

CYBERSCOOP | Published November 13, 2024

 

The research, released Tuesday, details malware discovered in November by researchers on VirusTotal, a popular online file analysis tool. While the code was malicious, the online scanning platform gave the samples a clean bill of health. Jamf found three versions of the malware; two used the programming languages Golang and Python. The third was built using Flutter, which heavily obfuscates the code by default.

Researchers said the techniques and domains associated with the malware “align closely” with North Korean techniques. North Korea typically has financial motivations in mind for cyber operations. Both campaigns were aimed at cryptocurrency-related intrusions and contained similar infrastructure used by North Korea’s Lazarus Group.

Flutter is an open-source programming framework developed by Google for developers to build, design, and maintain applications across iOS,Android, Linux, macOS, Windows, and the web. The development kit is also great at obfuscating malicious code, which makes it harder to reverse engineer.

 

 

READ FULL ARTICLE

SOURCE: www.cyberscoop.com

Be the first to comment

Leave a Reply