North Korean Hackers Target Cryptocurrency Projects with NimDoor Malware on Macs

North Korean hackers have launched a sophisticated cyberattack campaign targeting cryptocurrency projects, utilizing a new strain of malware specifically designed for Apple devices. The attackers employ social engineering tactics, impersonating trusted individuals on messaging platforms and then sending fake Zoom meeting invitations via Google Meet links. Once the victim executes the seemingly legitimate Zoom update file, the malware, named NimDoor, is installed on their Mac computer. This malware is particularly adept at targeting crypto wallets and browser passwords, exploiting the misconception that Mac computers are less susceptible to such attacks.

The malware is written in an unusual programming language called Nim, which is relatively new and uncommon. This choice makes it harder for security software to detect, as Nim can run on multiple operating systems without modification. The malware's payload includes a credential-stealer designed to silently extract and exfiltrate browser and system-level information, as well as a script that steals Telegram’s encrypted local database and decryption keys. The malware also employs smart timing, waiting ten minutes before activating to avoid detection by security scanners.

This attack vector is not isolated. Cybersecurity solutions provider reported similar malware incursions linked to the North Korean state-sponsored hacking group. The malware in these cases was able to bypass Apple’s memory protections to inject the payload, facilitating keylogging, screen recording, clipboard retrieval, and the deployment of a full-featured infostealer called CryptoBot. This infostealer specifically targets cryptocurrency theft by penetrating browser extensions and seeking out wallet plugins.

The use of Nim-compiled binaries on macOS is a notable departure from previous tactics, where North Korean-aligned threat actors have experimented with Go and Rust programming languages. Nim offers significant advantages, including fast compilation to code, the creation of standalone executable files, and enhanced stealth capabilities. This shift underscores the evolving sophistication of cyber threats, particularly those targeting the cryptocurrency industry.

The recent alert about a massive malicious campaign involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials further highlights the growing threat landscape. Over the last few years, macOS has become a larger target for threat actors, especially those engaged in highly sophisticated, state-sponsored attacks. This debunks the myth that Macs are immune to viruses and underscores the need for enhanced security measures in the cryptocurrency sector.