According to Decrypt, North Korean state-sponsored hackers have launched a new campaign called 'Hidden Risk,' aiming to infiltrate cryptocurrency firms using malware disguised as legitimate documents. A report by SentinelLabs links this campaign to the BlueNoroff threat actor, a subgroup of the notorious Lazarus Group, which is known for funding North Korea's nuclear and weapons programs through cyber theft. This series of attacks is a strategic move to exploit the rapidly growing $2.6 trillion cryptocurrency industry, which often operates in a decentralized and under-regulated environment.
The FBI has recently warned about North Korean cyber actors increasingly targeting employees of decentralized finance (DeFi) and exchange-traded fund (ETF) firms through sophisticated social engineering tactics. The latest campaign appears to be an extension of these efforts, focusing on breaching crypto exchanges and financial platforms. Unlike their previous methods of grooming victims on social media, the hackers are now using phishing emails disguised as crypto news alerts, which began appearing in July. These emails, masquerading as updates on Bitcoin prices or the latest trends in DeFi, trick victims into clicking links that seem to lead to legitimate PDF documents. However, instead of opening a harmless file, users unknowingly download a malicious application onto their Macs.
The report highlights the new malware's ability to bypass Apple's built-in security protections, making it particularly concerning. The hackers manage to get their software signed with legitimate Apple Developer IDs, allowing it to evade macOS’s Gatekeeper system. Once installed, the malware uses hidden system files to remain undetected, even after the computer is restarted, and it communicates with remote servers controlled by the hackers. SentinelLabs advises macOS users, especially those within organizations, to enhance their security measures and increase their awareness of potential risks.
