North Korean malware targets macOS with security bypass

Jamf Threat Labs has discovered malware developed by North Korean hackers that successfully bypassed Apple's security checks.

This malware was notable for being the first of its kind to compromise Apple’s macOS operating system, although it is not effective on updated systems.

The apps, which researchers believe to be experimental, were detected as clean by Microsoft’s VirusTotal scanner and were crafted using Go and Python programming languages, alongside the Google Flutter app development kit.

The malware used developer account signatures, and five of the six apps were temporarily notarised by Apple.

"The domains and techniques in the malware align closely with those used in other DPRK malware and show signs that, at one point in time, the malware was signed and had even temporarily passed Apple’s notarisation process,” Jamf Threat Labs stated.

It remains uncertain if the malware has been used in active attacks or if it was designed as a test for future use, but researchers indicated that it is likely a prelude to more sophisticated attempts.

The applications carried names related to the cryptocurrency sector, such as “New Updates in Crypto Exchange” and “CeFi,” hinting at potential targets within the crypto community.

When executed, some apps, like “New Updates in Crypto Exchange,” opened a modified version of the minesweeper game.

North Korean hackers have demonstrated adaptability and precision in past cyber campaigns, including an October exploit targeting Chrome vulnerabilities to steal crypto wallet information.

The United Nations has estimated that North Korean hackers have generated approximately $3 billion in illicit gains over the past six years, reinforcing their reputation for effective and organised operations.