North Korean malware evades Apple notarization, targets macOS users

North Korean hackers created malware capable of bypassing Apple's notarization process, a first seen for macOS.
North Korean hackers created malware capable of bypassing Apple's notarization process, a first seen for macOS.

North Korean hackers seem to have created malware that evaded Apple security checks. The apps seem to be experimental, Apple-focused Jamf Threat Labs researchers say. It was the first time they had seen this technology used to compromise Apple’s macOS operating system, but it will not run on up-to-date systems.

Weaponizing a security weakness

The Jamf Threat Labs researchers found apps with malicious intent that were reported as clean by Microsoft’s VirusTotal online scanning service. They were found in variants written in the Go and Python languages and using the Google Flutter app.

Flutter is an open-source developer kit that enables the creation of multi-platform apps.

Five of the six malicious apps had developer account signatures and had been temporarily notarized by Apple. The researchers wrote:

“The domains and techniques in the malware align closely with those used in other DPRK [Democratic People’s Republic of Korea — North Korea] malware and show signs that, at one point in time, the malware was signed and had even temporarily passed Apple’s notarization process.”

“It’s unclear in this case if the malware has been used against any targets or if the attacker is preparing for a new form of delivery,” they added. They concluded it was “likely testing for greater weaponization.”

The malware had names associating them with cryptocurrency, such as “New Updates in Crypto Exchange,” “New Era for Stablecoins and DeFi,” “CeFi” and “Multisig Risks in Stablecoin and Crypto Assets,” which hinted at the hackers’ ultimate target. When “New Updates in Crypto Exchange” was executed, it opened a modified minesweeper game.

Related: $235M WazirX exchange hack has implications for India’s crypto industry

Organized hackers do it best

North Korean hackers have a well-deserved reputation for ingenuity. They were caught exploiting a vulnerability in Chrome in October to steal crypto wallet credentials. Allegations were made the same month that North Koreans had had a hand in developing the Cosmos network Liquid Staking Module.

Source: Jamf

The hackers are highly organized and allegedly take in hundreds of thousands of dollars worth of cryptocurrency a month and have made approximately $3 billion in the last six years, according to the United Nations.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis