In a new cybersecurity threat targeting the cryptocurrency industry, North Korean hacker group BlueNoroff has developed sophisticated malware targeting MacOS users.
Identified in a report by cybersecurity firm SentinelLabs, the malware is designed to infiltrate devices through multi-stage attacks that leverage PDF files to remotely access victims' computers and potentially steal sensitive data such as private keys.
The operation, dubbed “Hidden Risk” by SentinelLabs, uses a method that starts with a fake PDF file. When a user downloads and opens this file, a secondary malware file is downloaded to the MacOS desktop without their knowledge. This file then gives hackers remote access to the victim’s computer, posing a significant risk to cryptocurrency firms and individuals who own digital assets.
SentinelLabs detailed in its report that “Hidden Risk” spreads via emails containing fake news about cryptocurrency trends and tricks users into opening malware-infected PDF attachments. According to SentinelLabs’ summary, the malware uses a unique persistent method that exploits the MacOS Zsh configuration file zshenv. This technique is designed to make the malware harder to detect and remove, and to allow it to remain active on infected systems.
The cybersecurity firm also states with high confidence that this campaign is led by a threat actor suspected to be North Korean and is likely linked to previous BlueNoroff attacks, including the RustDoor/ThiefBucket and RustBucket operations.
*This is not investment advice.
