BLEEPING COMPUTER | Published November 13, 2024
North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on how to bypass macOS security rather than a fully-fledged and highly targeted operation.
Notarized apps connecting to DPRK servers
Starting in November 2024, Jamf discovered multiple apps on VirusTotal that appeared completely innocuous to all AV scans yet showcased “stage one” functionality, connecting to servers associated with North Korean actors.
All apps were built for macOS using Google’s Flutter framework, which enables developers to create natively compiled apps for different operating systems using a single codebase written in the Dart programming language.
“It is not unheard of for actors to embed malware within a Flutter based application, however, this is the first we’ve seen of this attacker using it to go after macOS devices,” explains Jamf researchers Ferdous Saljooki and Jaron Bradley.
READ FULL ARTICLE
SOURCE: www.bleepingcomputer.com
RELATED: North Korean-linked hackers were caught experimenting with new macOS malware
CYBERSCOOP | Published November 13, 2024
Hackers associated with North Korea were discovered embedding malware inside macOS applications built with an open-source software development kit, according to researchers at Jamf, a company that makes software geared toward mobile device management.
The research, released Tuesday, details malware discovered in November by researchers on VirusTotal, a popular online file analysis tool. While the code was malicious, the online scanning platform gave the samples a clean bill of health. Jamf found three versions of the malware; two used the programming languages Golang and Python. The third was built using Flutter, which heavily obfuscates the code by default.
Researchers said the techniques and domains associated with the malware “align closely” with North Korean techniques. North Korea typically has financial motivations in mind for cyber operations. Both campaigns were aimed at cryptocurrency-related intrusions and contained similar infrastructure used by North Korea’s Lazarus Group.
Flutter is an open-source programming framework developed by Google for developers to build, design, and maintain applications across iOS,Android, Linux, macOS, Windows, and the web. The development kit is also great at obfuscating malicious code, which makes it harder to reverse engineer.
Be the first to comment