North Korean Hackers Target Crypto Firms With NimDoor Malware

North Korean hackers have launched a targeted campaign against crypto firms using a new malware called NimDoor. This malware is disguised as a Zoom SDK update and is spread through Telegram messages and email invites. Victims are tricked into downloading an AppleScript file that installs NimDoor onto their macOS devices. The script is padded with thousands of blank lines to hide its malicious code, making it difficult to detect.

The malware is particularly dangerous due to its stealth capabilities. Written in the rare Nim programming language, it helps the code evade traditional security analysis. Once installed, NimDoor injects itself into other processes, uses encrypted WebSocket channels for communication, and resists deletion by reinstalling itself if terminated. It also includes a beaconing system via AppleScript, pinging command servers every 30 seconds to maintain persistence.

The primary goal of NimDoor is to steal sensitive data from crypto companies. It collects browser passwords from various browsers, macOS Keychain contents, local Telegram databases and encryption keys, terminal command history, and system information. This allows attackers to compromise crypto wallets, hijack Telegram accounts, and steal business-critical data while remaining undetected.

To protect against this threat, crypto firms and individual users should avoid downloading updates from unofficial links or direct messages. It is crucial to use trusted sources for software updates and regularly monitor system login items. Endpoint protection tools should be configured to detect unusual process injections and AppleScript activity. By taking these precautions, users can reduce the risk of falling victim to NimDoor and similar malware attacks.