Malware Linked to North Korea Discovered Using Flutter Framework
/ 3 min read
Quick take - In late October, Jamf Threat Labs discovered malware samples potentially linked to North Korea that utilize the Flutter framework for obfuscation, revealing three variants—Go, Python, and Flutter—designed to evade detection and execute malicious code on macOS devices.
Fast Facts
- Jamf Threat Labs identified malware linked to North Korea (DPRK) using the Flutter framework for obfuscation, discovered through VirusTotal uploads.
- The malware exists in three variants: Go, Python (via Py2App), and Flutter, with a focus on the complex Flutter-built application.
- Six infected applications were found, five signed with a developer account, including a modified minesweeper game that connects to a DPRK-associated domain.
- The malware can execute AppleScript code retrieved from server responses, with unique requirements for script formatting, indicating advanced capabilities.
- This incident marks the first use of Flutter by DPRK actors to target macOS, suggesting an evolution in their tactics and necessitating ongoing monitoring.
Malware Linked to North Korea Discovered Using Flutter Framework
In late October, Jamf Threat Labs identified malware samples potentially linked to North Korea (DPRK) that utilize the Flutter framework for obfuscation. The malware was discovered through samples uploaded to VirusTotal, which were initially reported as clean despite their malicious intent.
Analysis and Variants
Analysis revealed that these malware samples exhibit similarities to other known DPRK malware, including shared domains and techniques. The malware was found in three variants: Go, Python (packaged using Py2App), and Flutter. The focus of the analysis is particularly on the Flutter-built application due to its complexity in reverse engineering.
Flutter, a Google-developed framework, facilitates cross-platform app design, allowing applications to maintain a consistent appearance across macOS, iOS, and Android. Applications built with Flutter contain code in a dynamic library (dylib) file, which is loaded by the Flutter engine, contributing to the code obfuscation process.
The identified Flutter applications are categorized as stage one payloads, with six infected applications discovered, five of which were signed with a developer account. One notable application, identifiable by its hash, poses as a functional minesweeper game, modified from an open-source Flutter game. Upon execution, this minesweeper game initiates a network request to a domain previously associated with DPRK malware.
Malware Functionality
The malware’s operational logic is embedded within precompiled Dart snapshots, complicating analysis and decompilation efforts. Certain strings found within the dylib suggest that the malware possesses capabilities for executing AppleScript. Testing confirmed that the malware can execute AppleScript code retrieved from a valid HTTP response, with the unique requirement that the script must be formatted backward.
Additionally, a Golang variant of the malware was identified, which shares similar functionality and had previously been signed by Apple. This Golang variant conducts GET requests and can execute AppleScript payloads received from server responses. A Python variant was also found, packaged as a standalone application that resembles a Notepad application. This variant similarly contains malicious logic that fetches and executes remote code, paralleling the behavior of the Flutter variant.
Implications and Recommendations
The malware indicates potential testing for greater weaponization, reflecting the actor’s history of sophisticated social engineering campaigns. Notably, the file names of the malware do not correspond with the content displayed to users, suggesting an intentional design to evade detection by Apple’s notarization and antivirus software. This incident marks the first instance of this attacker utilizing Flutter to target macOS devices, highlighting an evolution in their tactics. Ongoing monitoring for further activity by the actor is recommended to mitigate potential threats.
Original Source: Read the Full Article Here
