Cryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket,’ as they labeled it, was attributed with strong confidence to the BlueNoroff APT. In May 2023, ESET researchers discovered a second RustBucket variant targeting macOS users, followed by Elastic’s discovery in July of that year of a third variant that included a LaunchAgent for persistence. In November 2023, Elastic also reported on another DPRK campaign targeting blockchain engineers of a crypto exchange platform with KandyKorn malware. Further analysis by SentinelLabs (below) connected the KandyKorn and RustBucket campaigns.
In early September 2024, the FBI began warning that North Korea was conducting “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.” Researchers from Jamf subsequently followed up on this report a few weeks later, detailing an attack attempt that deployed malware masquerading as a Visual Studio updater.
In October 2024, SentinelLabs observed a phishing attempt on a crypto-related industry that delivered a dropper application and a payload bearing many of the hallmarks of these previous attacks. Researchers believe the campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics. This campaign is called ‘Hidden Risk’ and details its operation and indicators of compromise below, including using a novel persistence mechanism abusing the zshenv configuration file.
Infection Vector - Initial infection is achieved via phishing email containing a link to a malicious application. The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price,” Altcoin Season 2.0-The Hidden Gems to Watch,” and “New Era for Stablecoins and DeFi, CeFi.”
The emails hijack the name of a real person in an unrelated industry as a sender and purport to be forwarding a message from a well-known crypto social media influencer. In the case of the ‘Hidden Risk’ pdf, the threat actors copied a genuine research paper entitled ‘Bitcoin ETF: Opportunities and risk’ by an academic associated with the University of Texas and hosted online by the International Journal of Science and Research Archive (IJSRA).
The fake PDF displayed to targets (left) and the original source document hosted online (right)
Unlike earlier campaigns attributed to BlueNoroff, the Hidden Risk campaign uses an unsophisticated phishing email that does not engage the recipient with contextually relevant content, such as a reference to personal or work-related information. Also of note is that the sender domain in our observed incident, kalpadvisory[.]com, has been noted for spamming among online communities involved in the Indian stock market.
Social media users complain about spam calls from Kalp Advisory.
The ‘open’ link in the phishing email hides a URL to another domain, delphidigital[.]org. The full URL currently serves as a benign form of the Bitcoin ETF document with titles that differ over time. However, at some point, this URL has or does switch to serving the first stage of a malicious application bundle entitled ‘Hidden Risk Behind New Surge of Bitcoin Price.app’ (3f17c5a7d1e7fd138163d8039e614b8a967a56cb).
Application icon for the Stage 1 dropper
First Stage | “Bait and Switch” Dropper Application Replaces PDF - The first stage is a Mac application written in Swift displaying the same name as the expected PDF, “Hidden Risk Behind New Surge of Bitcoin Price.app”. The application bundle has the bundle identifier Education.LessonOne contains a universal architecture (i.e., arm64 and x86-64) Mach-O executable named LessonOne.
The application bundle was signed and notarized on 19 October 2024 with the Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948).” Apple has since revoked the signature.
Code signing details for the Hidden Risk Behind New Surge of Bitcoin Price.app
On launch, the application downloads the decoy “Hidden Risk” PDF file from a Google Drive share and opens it using the default macOS PDF viewer (typically Preview). Researchers at Kandji previously reported similar TTPs in August. The PDF is written into a temporary file before being moved to /Users/Shared using NSFileManager’s moveItemAtURL:toURL:error method.
The malware then downloads and executes a malicious x86-64 binary sourced from matuaner[.]com via a URL hard-coded into the Stage 1 binary. Since, by default, macOS won’t allow an application to download from an insecure HTTP protocol, the application’s Info.plist specifies this domain in the dictionary for its NSAppTransportSecurity key and sets the NSExceptionAllowsInsecureHTTPLoads value to “true.”
The Stage 1’s Info.plist adds the C2 domain as an exception for Apple’s App Transport Security settings.
The Info.plist also indicates that the application was built on a macOS 14.2 Sonoma machine but will run on Intel and Apple silicon Macs with macOS 12 Monterey or later.
Second Stage | ‘growth’ x86-64 Mach-O Backdoor - The malicious binary downloaded by the first stage dropper is a single architecture Mach-O x86-64 executable (7e07765bf8ee2d0b2233039623016d6dfb610a6d), meaning that although the parent dropper will execute on both Intel and Apple silicon machines, the Stage 2 will only run on Intel architecture Macs or Apple silicon devices with the Rosetta emulation framework installed. The binary, written in C++, has the name ‘growth,’ weighs in at around 5.1 MB and is not code-signed at all (SentinelLabs was able to share the file for researchers here).
The executable contains several identifiable functions, which we outline below. The overall objective is to act as a backdoor to execute remote commands.
Some interesting functions in the ‘growth’ binary
On execution, the ‘growth’ binary performs the following actions: Calls the sym.install_char__char_ function to install persistence. We will discuss this in the next section. Runs several commands to gather environmental information from the host and generate a random UUID of length 16. These commands include sw_vers ProductVersion, sysctl hw. model, and sysctl kern. boot time. Calculates the current date and time and performs ps aux to list running processes.
It sends the string “ci,” the random UUID, and the gathered host data to a remote server using the DoPost function and awaits the C2 response.
It uses the ProcessRequest function to parse the response. If the first byte in the response is 0x31, it sends the string “cs,” the random UUID, and the value -1 using DoPost and exits. If the first byte in the response is 0x30, it executes the SaveAndExec function and sends the string “cs,” the random UUID, and the value 0 using DoPost. The SaveAndExec function reads the C2 response, parses it, and saves it into a random, hidden file at /Users/Shared/.XXXXXX, and executes it.
The ProcessRequest function parses the C2 response.
Sleeps for 60 seconds and starts the flow again from step 3.
The DoPost function uses libcurl to make an HTTP Post request to the C2. The first argument is the C2 URL, the second is the data sent in the body of the POST request, and the third is the data pointer passed to the write callback.
The DoPost function constructs and sends the HTTP request.
Sentinel has previously noted that this exact User-Agent string, Mozilla/4.0 (compatible; MSIE 8.0; Windows nt 5.1; trident/4.0), appeared in RustBucket malware in 2023. The User-Agent string also uses cur1-agent (using a 1 in place of the l in “curl”) as reported by Elastic, a unique indicator we have not observed elsewhere.
Researchers also see similarities in how earlier malware parsed the response from the C2, comparing one of two values as decision logic between awaiting a further response, exiting or reading, and writing a remote command to file. The ProcessRequest function used for this purpose was also the name of an ObjCShellz payload observed in a previous campaign.
The SaveAndExec function is responsible for executing any commands received from the C2. This function takes two parameters: the payload received and its length. The function parses the malicious payload and calculates indices related to the presence of the characters “#” and “:,” receiving data from the C2 in the form 0#0:command.
SaveAndExec function parses the received script for embedded commands.
Based on the calculated indices, it creates a random file name of length six and writes the received command as a hidden file to /Users/Shared/.%s. It then uses chmod 0x777 to set the file's permissions to world read, write, and execute and finally executes it via open.
The SaveAndExec function changes the file’s permissions and then executes it.
Persistence via Zshenv—The backdoor’s operation is functionally similar to previous malware attributed to this threat actor, but what makes it especially interesting is the persistence mechanism, which abuses the Zshenv configuration file.
Zshenv is one of several optional configuration files used by the Zsh shell. At the user level, it is hidden in the Home directory, ~/.zshenv. A system-wide version can also be located at /etc/zheng. If it exists, the file is sourced for all Zsh sessions, including interactive and non-interactive shells, non-login shells, and scripts. It is also read before all other Zsh startup files.
Interestingly, previous malware samples used by the same threat actor have referenced zsh_env in their naming convention but have not used the mechanism. In an earlier campaign, BlueNoroff used the ~/.zshrc config file to achieve persistence. However, this is a less reliable form of persistence since the file is only sourced when a user launches an interactive Terminal session or sub-session from an existing console.
Infecting the host with a malicious Zshenv file allows for a more potent persistence. While this technique is not unknown, it is the first time malware authors have used it in the wild. It has particular value on modern macOS versions since Apple introduced user notifications for background Login Items as of macOS 13 Ventura. Apple’s notification aims to warn users when a persistence method is installed, particularly oft-abused LaunchAgents and LaunchDaemons. However, Abusing Zshenv does not trigger such a notification in current macOS versions.
The sym. install_char__char _ function handles the installation of the persistence mechanism in the binary. The mechanism checks for a hidden touch file (zero-byte) in the /tmp/ folder called .zsh_init_success. If the file does not exist, the ‘growth’ binary is called, and the touch file is created.
Contents of the malicious ~/.zshenv, executed for every Zsh session
Network Infrastructure—Analysis of the actor-operated and controlled network infrastructure associated with the Hidden Risk campaign further corroborates our confidence in attribution to DPRK’s BlueNoroff threat actor. Additionally, infrastructure analysis provides new insight into an extensive cluster of activity over the last year and provides further links to industry reporting mentioned above and others in the community.
Over recent months, the actor has built a network of connected infrastructure often themed around their cryptocurrency interests, methods of delivering malware lures and mimicking legitimate Web3, cryptocurrency, fintech, and investment organizations to appear legitimate. NameCheap is the predominant domain registrar being abused. Based on Sentinel's observations, virtual server hosting services such as Quickpacket, Routerhosting, Hostwinds, and others are the most used virtual server hosting services.
Various methods of pivoting across network infrastructures and services can be used to connect the Hidden Risk campaign to domains themed around the following organizations, indicating the actor's interest in potential targeting and spoofing for targeting other organizations.
Cryptocurrency Technologies Delphi Digital, Solana Labs, Douro Labs, bitsCrunch, Caladan
Investment and Capital Entities Maelstrom Fund, Selini Capital, Flori Ventures, ARK Invest, Long Journey Ventures
Generic IT/Communication Virtual Meetings (Zoom, generic), Software Updates (macOS, browsers, generic)
When examining the infrastructure of the campaign detailed above in infrastructure analysis tools such as Validin, researchers identified clear relations between the initial stage 1 delivery domain (matuaner[.]com) and the IPs 45.61.135[.]105 and 172.86.108[.]47. These two IPs, combined with an overlapping certificate use, link to various domains that open the door to the larger and longer-running history of BlueNoroff activity (green lines) and additional lesser confidence infrastructure to explore further (orange dotted lines).
Pivoting from sample delivery to the initial set of infrastructure
Additional valuable pivoting can be achieved by analyzing attributes like DNS TXT records linked to domains the actor may use for phishing email delivery. For instance, we’ve observed the actor abusing email marketing automation tools, such as Brevo, where they verify domain ownership to meet email authentication standards, an effort to bypass spam and phishing detection filters.
Pivoting initial infrastructure to a wider set, though DNS TXT Records
Beyond direct pivoting based on infrastructure and overlapping response data, Sentinel also identified additional domains registered using similar methods that reflect previous organization naming themes across various top-level domains (TLDs). However, these domains have not yet been linked to any known actor activity. For instance, we found related but non-pivotable domains based on “Selini Capital,” such as the selinicapital[.]network, by analyzing bulk domain search datasets. This approach has proven effective in uncovering additional BlueNoroff domains linked to the Hidden Risk activity cluster.
Example Regular Expression: /s+e+l+i+n+i+c+a+p+i+t+a+l+\.[a-z0-9-]+/
Bulk domain scanning, past 180 days, showing registration summary.
The extensive collection of BlueNoroff infrastructure we’ve gathered over the years, recently expanded through the latest Hidden Risk campaign activity, prevents us from detailing every unique pivoting method as this actor evolves. As with all quality threat intelligence, our goal is to aid defenders while carefully managing the exposure of our tracking techniques to the actor. However, we share a broader set of associated infrastructure in the Indicator of Compromise section below.
Conclusion - Over the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ‘grooming’ of targets via social media. Sentinel has observed that the Hidden Risk campaign diverts from this strategy, taking a more traditional and cruder, though not necessarily less practical, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of previous DPRK-backed campaigns are evident, both in terms of observed malware artifacts and associated network infrastructure, as discussed extensively throughout this post.
Researchers speculate that heightened attention on previous DRPK campaigns could have reduced the effectiveness of previous ‘social media grooming’ attempts, perhaps as a result of intended targets in DeFi, ETF, and other crypto-related industries becoming more wary. However, it is equally likely that such state-backed threat actors have sufficient resources to pursue multiple strategies simultaneously.
One factor consistent throughout many of these campaigns is that the threat actors can seemingly acquire or hijack valid Apple ‘identified developer’ accounts at will, have their malware notarized by Apple, and bypass macOS Gatekeeper and other built-in Apple security technologies. In light of this and the general increase in macOS crimeware observed across the security industry, we encourage all macOS users, particularly those in organizational settings, to harden their security and increase their awareness of potential risks.
Indicators of Compromise
SHA1 Function File Arch
05c178891ca1e65af53bbcfdbec573da3f74d176 Dropper Macho arm64
3f17c5a7d1e7fd138163d8039e614b8a967a56cb Dropper App Universal
7e07765bf8ee2d0b2233039623016d6dfb610a6d Backdoor Macho x86_64
baf4da6b89b7d7cbf24c9deef5984ef9dfd52e6a Dropper Macho Universal
e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb Dropper Macho x86_64
IP Addresses
23[.]254.253[.]75
45[.]61.128[.]122
45[.]61.135[.]105
45[.]61.140[.]26
139[.]99.66[.]103
144[.]172.74[.]23
144[.]172.74[.]141
172[.]86.102[.]98
172[.]86.108[.]47
216[.]107.136[.]10
Domains
analysis.arkinvst[.]com
appleaccess[.]pro
arkinvst[.]com
atajerefoods[.]com
buy2x[.]com
calendly[.]caladan[.]video
cardiagnostic[.]net
cmt[.]ventures
community.edwardcaputo[.]shop
community.kevinaraujo[.]shop
community.selincapital[.]com
community.selincapital[.]com
customer-app[.]xyz
delphidigital[.]org
doc.solanalab[.]org
dourolab[.]xyz
drogueriasanjose[.]net
edwardcaputo[.]shop
email.sellinicapital[.]com
evalaskatours[.]com
happyz[.]one
hwsrv-1225327.hostwindsdns[.]com
info.ankanimatoka[.]com
info.customer-app[.]xyz
kevinaraujo[.]shop
maelstromfund[.]org
maelstroms[.]fund
matuaner[.]com
mbupdate.linkpc.net
mc.tvdhoenn[.]net
meet.caladan[.]video
meet.caladangroup[.]xyz
meet.hananetwork[.]video
meet.selinicapital[.]info
meet.selinicapital[.]online
meet.selinicapital[.]xyz
meet.sellinicapital[.]com
meeting.sellinicapital[.]com
meeting.zoom-client[.]com
mg21.1056[.]uk
nodnote.com
online.selinicapital[.]info
online.zoom-client[.]com
panda95sg[.]asia
pixelmonmmo[.]net
presentations[.]life
selincapital[.]com
selinicapital[.]info
selinicapital[.]network
selinicapital[.]online
sellinicapital[.]com
sendmailed[.]com
sendmailer[.]org
shh5.baranftw[.]xyz
tvdhoenn[.]net
verify.selinicapital[.]info
versionupdate.dns[.]army
www.buy2x[.]com
www.delphidigital[.]org
www.frameworks[.]ventures
www.happyz[.]one
www.huspot[.]blog
www.maelstromfund[.]org
www.panda95sg[.]asia
www.prismlab[.]xyz
www.sellinicapital[.]com
www.sendmailed[.]com
www.sendmailer[.]org
www.yoannturp[.]xyz
xu10.1056[.]uk
zoom-client[.]com
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments