Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses. They are using malware written in the Nim programming language, underscoring a constant evolution of their tactics. The cybersecurity company SentinelOne is tracking the malware components collectively under the name NimDoor. The attack chains involve sophisticated social engineering tactics, approaching targets on messaging platforms like Telegram. Targets are lured into scheduling a Zoom meeting and then sent a link to a supposed SDK update script. This results in the execution of an AppleScript that acts as a delivery vehicle for a second-stage payload.
At the heart of the infection sequence is a C++ loader called InjectWithDyldArm64, also known as InjectWithDyld. This loader decrypts two embedded binaries, launches one in a suspended state, and injects the other’s code. After the code is injected, the execution of the suspended process is resumed to continue the attack chain. The malware then proceeds to establish communication with a remote server and fetch commands from the attackers. These commands allow it to gather system information, run arbitrary commands, and change the current working directory.
One of the Nim-compiled binaries, named ‘installer’, is responsible for the initial setup and staging on the system.
The most advanced component used in the attack is CoreKitAgent, which is the main payload of the NimDoor framework. It operates as an event-driven binary, using macOS’s kqueue mechanism to asynchronously manage its execution flow. The most distinctive feature is its signal-based persistence mechanism, where it installs custom handlers for SIGINT and SIGTERM. When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, redeploying the core components.
The malware is capable of downloading two more payloads that come fitted with powerful data harvesting capabilities.
These payloads are capable of harvesting credentials from web browsers like Arc, Brave, Google Chrome, and Firefox. They can also extract sensitive data directly from the Telegram desktop application, including the local message database. The findings demonstrate how North Korean threat actors are increasingly training their sights on Apple’s macOS systems. Nim’s unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary.
Reference:
