New Malware Campaign 'Hidden Risk' Targets Cryptocurrency Businesses
/ 4 min read
Quick take - SentinelLabs has reported a new multi-stage malware campaign called ‘Hidden Risk’, linked to a suspected North Korean threat actor targeting cryptocurrency businesses through phishing emails that deliver disguised malware, with connections to previous cybercriminal activities and a focus on exploiting macOS security measures.
Fast Facts
- SentinelLabs has uncovered a new multi-stage malware campaign called ‘Hidden Risk’, linked to a suspected North Korean threat actor targeting cryptocurrency businesses.
- The campaign employs phishing emails that impersonate individuals from unrelated industries, delivering malware disguised as PDF files and initially leading to benign documents.
- The first stage of the malware is a Mac application named “Hidden Risk Behind New Surge of Bitcoin Price.app”, which downloads a decoy PDF and executes a malicious binary.
- The second stage features a backdoor executable named ‘growth’, which allows remote command execution and gathers environmental data while maintaining persistence through the Zshenv configuration file.
- The campaign is part of a broader trend of North Korean cyber activities targeting cryptocurrency sectors, with previous incidents involving tailored social engineering and the acquisition of valid Apple developer accounts.
SentinelLabs Identifies New Multi-Stage Malware Campaign: ‘Hidden Risk’
Overview of the Campaign
SentinelLabs has identified a new multi-stage malware campaign named ‘Hidden Risk’. This campaign is linked to a suspected North Korean (DPRK) threat actor targeting cryptocurrency-related businesses. The actor is believed to be associated with previous cybercriminal activities, notably the BlueNoroff group, and is also linked to the RustDoor/ThiefBucket and RustBucket campaigns. Cryptocurrency businesses have long been on the radar of North Korean-affiliated actors, who aim for theft and the insertion of backdoor malware.
Phishing Tactics and Malware Delivery
The ‘Hidden Risk’ campaign employs phishing emails that spread misinformation about cryptocurrency trends and deliver malware disguised as PDF files. Initial reports indicate that this campaign likely began in July 2024. The phishing emails impersonate individuals from unrelated industries, claiming to forward messages from known crypto influencers. These emails contain links that initially lead to benign documents but can switch to malicious applications.
The first stage of the malware is a Mac application named “Hidden Risk Behind New Surge of Bitcoin Price.app”. This application was signed and notarized by Apple but later revoked. Upon execution, it downloads a decoy PDF from Google Drive and then retrieves and executes a malicious binary.
Technical Details and Threat Analysis
The second stage features an x86-64 Mach-O executable named ‘growth’, which functions as a backdoor enabling the execution of remote commands. The ‘growth’ binary is designed to gather environmental data and communicates with a command and control (C2) server. It utilizes a persistence mechanism that exploits the Zshenv configuration file, allowing it to execute in every Zsh session. The hidden file in the user’s home directory is sourced for all Zsh sessions, providing a reliable method of persistence.
The campaign’s network infrastructure analysis shows connections to the DPRK’s BlueNoroff threat actor, focusing on cryptocurrency-related themes. The actor has established a network of infrastructure that mimics legitimate cryptocurrency and fintech organizations, primarily utilizing NameCheap as their domain registrar along with various virtual server hosting services. This indicates a strategic effort to present themselves as credible entities.
In a broader context, the DPRK has been linked to multiple malware incidents targeting blockchain engineers and other cryptocurrency professionals. Notable instances include an APT campaign reported in April 2023 targeting macOS users and the deployment of KandyKorn malware in November 2023. The FBI issued warnings in September 2024 about tailored social engineering campaigns directed at employees in the decentralized finance and cryptocurrency sectors.
Recent attacks have showcased the threat actors’ capability to acquire valid Apple developer accounts, allowing them to bypass certain macOS security measures. SentinelLabs emphasizes the importance of enhancing security awareness, particularly among macOS users, as organizational settings are especially at risk. Indicators of compromise have been identified, including specific SHA1 hashes for the malware and a list of associated IP addresses and domains.
Original Source: Read the Full Article Here
