North Korean Hackers Deploy NimDoor Malware Targeting Mac Cryptocurrency Users

North Korean hackers have been identified as the perpetrators behind a sophisticated cyberattack campaign targeting cryptocurrency projects. The attackers have developed a new strain of malware specifically designed to infiltrate Apple devices, known as NimDoor. This malware is particularly concerning because it exploits the growing belief that Mac computers are less susceptible to hacks and exploits, a notion that has been debunked by recent events.

The attack begins with the hackers impersonating a trusted individual on messaging platforms like Telegram. They then request a fake Zoom meeting via a Google Meet link, sending what appears to be a Zoom update file to the victim. Once the “update” is executed, the payload installs NimDoor on the victim's Mac computer. This malware is designed to target crypto wallets and browser passwords, making it a significant threat to cryptocurrency users.

One of the unique aspects of NimDoor is that it is written in an uncommon programming language called Nim. This choice makes it harder for security software to detect, as Nim can run on Windows, Mac, and Linux without modifications. The malware also compiles quickly to code, creates standalone executable files, and is very difficult to detect. This makes it a versatile tool for cybercriminals, who can write one piece of malware that works across multiple operating systems.

The payload of NimDoor contains a credential-stealer designed to silently extract browser and system-level information, package it, and exfiltrate it. It also includes a script that steals Telegram’s encrypted local database and the decryption keys. To avoid detection by security scanners, the malware waits ten minutes before activating.

This is not the first time North Korean-aligned threat actors have experimented with unusual programming languages. Previously, they have used Go and Rust, but Nim offers significant advantages in terms of versatility and detectability. The malware is also capable of bypassing Apple’s memory protections to inject the payload, making it a formidable threat.

The use of NimDoor is part of a broader trend of cyberattacks targeting cryptocurrency projects. In June, cybersecurity solutions provider reported similar malware incursions linked to the North Korean state-sponsored hacking group. The malware used in these attacks was capable of keylogging, screen recording, clipboard retrieval, and had a full-featured infostealer called CryptoBot, which focused on cryptocurrency theft. This infostealer penetrated browser extensions, seeking out wallet plugins.

This week, blockchain security firm alerted users to a massive malicious campaign involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. The increasing sophistication of these attacks highlights the growing threat posed by state-sponsored hackers to the cryptocurrency industry.

Researchers concluded that over the last few years, macOS has become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers. This debunks the myth that Macs don’t get viruses, underscoring the need for enhanced security measures to protect against such threats.