North Korean Threat Actors Use Malware in Flutter Apps
/ 4 min read
Quick take - Threat actors linked to North Korea have been discovered using a new method to embed malware in Flutter applications targeting macOS devices, with the malware disguised as a Minesweeper game and employing various programming languages to enhance its evasion of security measures.
Fast Facts
- North Korean threat actors have been identified using malware embedded in Flutter applications, marking the first instance targeting macOS devices.
- The malware, which disguises itself as a Minesweeper game, is part of a broader range of malicious software developed in Golang and Python.
- Jamf Threat Labs discovered the malware through analysis of artifacts on VirusTotal, suggesting it may still be in a testing phase and not widely distributed.
- The malware was signed using Apple developer IDs from legitimate organizations, indicating a successful circumvention of Apple’s notarization process.
- There are potential links to the Lazarus sub-group BlueNoroff, with the malware employing various programming languages to effectively target cryptocurrency companies.
North Korean Threat Actors Employ Novel Malware Tactics
Threat actors associated with the Democratic People’s Republic of Korea (DPRK) have been identified employing a novel tactic of embedding malware in Flutter applications. This marks the first known instance of such malware targeting Apple macOS devices.
Discovery and Analysis
The discovery was made by Jamf Threat Labs, which analyzed artifacts uploaded to the VirusTotal platform. The malware in question is part of a broader range of malicious software that also includes variants developed in Golang and Python. Currently, the distribution method for these infected applications remains unclear, and there is no specific information indicating whether these malware samples have been deployed against particular targets.
North Korean threat actors are historically known for their extensive social engineering strategies, particularly aimed at individuals within the cryptocurrency and decentralized finance sectors. Jaron Bradley, the director at Jamf Threat Labs, has suggested that the examples of malware being studied may be in a testing phase and might not have been widely distributed yet.
Potential Connections to Known Groups
While Jamf has not explicitly linked the malicious activity to any specific North Korean hacking group, there is a potential connection to a Lazarus sub-group known as BlueNoroff. This speculation arises from infrastructure overlaps with previously identified malware such as KANDYKORN and campaigns like Hidden Risk.
The newly discovered malware utilizes Flutter, a cross-platform application development framework, to embed its primary payload, which is written in Dart. The malware disguises itself as a functional Minesweeper game titled “New Updates in Crypto Exchange (2024-08-28),” appearing to be a clone of a basic Flutter game available on GitHub. Notably, game-themed lures have also been previously associated with another North Korean hacking group, Moonstone Sleet.
Circumventing Security Measures
The malicious applications were signed and notarized using Apple developer IDs from organizations such as the Baltimore Jewish Council, Inc. and Fairbanks Curling Club, Inc. This suggests that the threat actors were able to circumvent Apple’s notarization process, and these developer signatures have since been revoked by Apple.
Upon execution, the malware initiates a network request to a remote server and runs AppleScript code received from that server, with the code formatted in reverse. Variants of the malware have also been identified in Go and Python, with the Python versions constructed using Py2App. Identified applications include NewEra for Stablecoins and DeFi, CeFi (Protected).app, and Runner.app, which can execute AppleScript payloads based on server responses.
The development of malware using multiple programming languages indicates a focused effort by DPRK threat actors to target cryptocurrency companies effectively. Furthermore, the malware has demonstrated various variants and frequent updates, likely designed to elude detection and ensure a continually differing appearance with each release. The choice to utilize the Dart language and Flutter applications is believed to provide a level of obscurity due to their compiled architecture, enhancing the malware’s potential for evading security measures.
Original Source: Read the Full Article Here
