Threat actors with ties to North Korea have embedded malware within Flutter applications, marking the first time this tactic has been used by adversaries to infect Apple macOS devices. Jamf Threat Labs made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month.
The malicious activity appears to be part of a broader effort that includes malware written in Golang and Python. However, it’s currently unknown how these samples are distributed to victims or if they have been used against any targets.
North Korean threat actors are known for their extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses. Jamf has not attributed the malicious activity to a specific North Korea-linked hacking group, but it could be linked to the Lazarus sub-group BlueNoroff due to infrastructure overlaps with malware referred to as KANDYKORN.
The new malware stands out for its use of Flutter, a cross-platform application development framework, to embed a primary payload written in Dart. The app masquerades as a Minesweeper game and has been signed and notarized using Apple developer IDs. However, these signatures have since been revoked by Apple.
Once launched, the malware sends a network request to a remote server and executes AppleScript code received from the server, with the payload written in reverse. Jamf Threat Labs also identified variants of the malware written in Go and Python, which can run any AppleScript payload received in the server HTTP response.
This development is a sign that North Korea-linked threat actors are actively developing malware using several programming languages to infiltrate cryptocurrency companies. The use of game-themed lures has also been observed in conjunction with another North Korean hacking group tracked as Moonstone Sleet.
Source: https://thehackernews.com/2024/11/north-korean-hackers-target-macos-using.html