A new hacking campaign called “macOS NimDoor” is using social enginnering and custom malware coded in Nim to break into macOS computers by North Korean hackers.
Key Points:
- Deceptive Tactics: North Korean hacking group, BlueNoroff, is impersonating trusted contacts on Telegram and luring employees from web3 and crypto companies with fake Calendly meeting invites.
- Malware Delivery: The attack culminates in an email containing a malicious script disguised as a legitimate Zoom SDK update.
- “NimDoor” Malware: Executing this script installs a sophisticated macOS malware dubbed “NimDoor” by security researchers. This malware leverages the Nim programming language and employs advanced techniques for evasion and persistence.
- Targeted Victims: The primary targets are individuals working within the blockchain, cryptocurrency, and decentralized web (web3) sectors.
Technical Details
The NimDoor malware is notable for being compiled in Nim, a programming language rarely used in malware development. This uncommon choice helps the malware evade traditional signature-based detection systems, report by Sentinelone.
- Process injection using task_for_pid, enabling stealthy execution.
- Encrypted command-and-control (C2) via WebSockets using RC4 encryption.
- Persistence mechanisms that survive reboots and re-launch the payload via signal-triggered routines.
- Credential theft from browsers (Chrome, Firefox, Arc, Edge) and messaging apps like Telegram.
- Extraction of iCloud Keychain and crypto wallet data, posing a critical risk to digital asset holders.
Impact:
The “NimDoor” malware is designed to establish persistent access to infected macOS systems. It can exfiltrate sensitive data, including login credentials from Keychain, browser information, and even data from Telegram accounts. This poses a significant risk of financial theft and intellectual property loss for targeted organizations and individuals in the highly sensitive web3 and crypto industries.
Related Updates and Broader Context:
This latest campaign highlights a continuing trend of North Korean state-sponsored hacking groups focusing on the cryptocurrency ecosystem. They have previously been observed using similar deceptive tactics and exploiting legitimate platforms like Zoom to gain unauthorized access to systems.
A notable incident mentioned in relation to these groups is the significant $223 million hack on Cetus Protocol, underscoring the severe financial implications of their operations. The increasing use of novel programming languages like Nim for malware development also signifies an evolving threat landscape, requiring heightened vigilance and robust security measures, especially for macOS users in high-value target sectors.
Security Measures
- Security researchers urge macOS users—especially those in crypto and Web3 spaces—to adopt the following precautions:
- Avoid downloading updates or SDKs from unofficial sources.
- Verify contacts and job opportunities, particularly those coming through encrypted messaging apps.
- Implement behavioral monitoring tools on macOS endpoints.
- Use hardware wallets and disable browser-based storage of credentials and seeds.
- Regularly audit ~/Library/LaunchAgents and related directories for suspicious activity.
