North Korean Hackers Target Web3 Startups with Malware Tactics

North Korean Hackers Target Web3 Startups with NimDoor Malware

North Korean hackers are employing sophisticated tactics to target Web3 and cryptocurrency companies using malicious software known as NimDoor. This malware is a macOS backdoor that poses as a fake Zoom update, tricking victims into installing it. The technique involves phishing links distributed via Calendly and Telegram that lure users into downloading the malware. The malware is designed to steal sensitive data such as browser history and Keychain credentials.

Image courtesy of Security Affairs

“DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses,” states the analysis published by SentinelOne. The malware employs encrypted communications and is capable of reinfection if killed, mimicking legitimate AppleScript tools to avoid detection.

Attack Mechanism of NimDoor

The attack chain starts with fake Zoom invitations sent via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt,” which is padded with 10,000 lines of whitespace to obscure its malicious intent. This script downloads a second-stage payload from a lookalike domain that mimics legitimate Zoom URLs.

The attackers utilize two Mach-O binaries—one named ‘a’ written in C++ and another called ‘installer’ compiled from Nim. The first binary decrypts malware for data theft, while the second ensures persistence by deploying deceptive Nim binaries.

Image courtesy of CSO Online

“This kind of process injection technique is rare in macOS malware and requires specific entitlements to be performed,” according to researchers. The two payloads maintain persistence by handling termination signals, allowing the malware to redeploy core components.

Multi-Stage Infection Process

The infection process is multi-staged, initially involving a benign file that is executed to disguise the malicious activities. The second Mach-O binary, ‘installer,’ drops additional payloads written in Nim, setting up persistence on infected systems. These include scripts designed to exfiltrate data from browsers and applications like Telegram.

“Earlier this year, we saw threat actors utilizing Nim as well as Crystal,” the SentinelOne researcher notes. “We expect the choice of less familiar languages to become an increasing trend among macOS malware authors due both to their technical advantages and their unfamiliarity to analysts.”

Understanding these unique attack vectors is crucial for organizations in the Web3 and crypto sectors as they navigate the evolving threat landscape. For those interested in protecting their assets and infrastructure, exploring advanced cybersecurity solutions can be a strategic move.