North Korean hackers target crypto firms with new malware

North Korean state-sponsored hackers have launched a new campaign, named ‘Hidden Risk,’ that targets crypto firms using malware disguised as legitimate documents, according to a report by SentinelLabs.

This campaign is linked to BlueNoroff, a subgroup of the notorious Lazarus Group, which has been known for stealing significant funds to support North Korea’s nuclear and weapons programs.

Unlike previous strategies that involved grooming victims on social media, this campaign focuses on phishing emails.

The emails are crafted to appear as crypto news alerts, tempting recipients to click on links that supposedly lead to genuine PDF documents.

Instead, users unknowingly download malware onto their macOS systems.

The report highlights that these phishing emails began surfacing in July and often included updates related to Bitcoin prices or trends in decentralised finance (DeFi).

This shift in tactics indicates an evolving approach by cybercriminals to infiltrate financial platforms and crypto exchanges.

The malware is particularly alarming due to its ability to bypass Apple’s built-in security features.

The software is signed with legitimate Apple Developer IDs, allowing it to evade macOS’s Gatekeeper system.

Once installed, the malware hides in system files, remaining undetected even after reboots, and communicates with servers controlled by the hackers.

This campaign aligns with warnings issued by the FBI about North Korean cyber actors increasingly targeting employees at DeFi and ETF firms using tailored social engineering attacks.

SentinelLabs has advised macOS users, especially those within organisations, to enhance their security protocols and remain vigilant against potential threats.