North Korean Hackers Target Web3 Firms With NimDoor Malware

North Korean hacking groups have recently escalated their cyber activities by employing new methods to target Web3 companies. These groups have been observed using a malware known as NimDoor, which is compiled in the Nim programming language and specifically targets macOS systems. The malware is designed to maintain access even after termination or system reboot, making it particularly persistent and difficult to detect.

The attack process begins with threat actors contacting potential victims via messaging apps like Telegram. They use social engineering techniques to convince targets to join a call using a scheduling service like Calendly. Once the victim is engaged, the hackers send an email with a malicious "Zoom SDK update" script. This script installs the NimDoor malware silently, allowing it to communicate with a command and control (C2) server.

Once installed, the malware executes bash scripts to access and exfiltrate data from various browsers, including Google Chrome, Microsoft Edge, Arc, Brave, and Firefox. It can also steal iCloud Keychain credentials and Telegram user data from the target's device. The use of less popular programming languages like Nim makes it harder for analysts to detect and block the malware using existing security measures.

The NimDoor malware features a "signal-based persistence mechanism" that allows it to reinstall itself and continue operating even if the malicious process is terminated or the system is rebooted. This mechanism uses SIGINT/SIGTERM handlers to ensure the malware's persistence, making it a formidable threat to Web3 and crypto firms.

The adoption of new methods by North Korean hacking groups highlights their evolving tactics in targeting Web3 companies. By using less familiar programming languages and sophisticated social engineering techniques, these groups are able to bypass traditional security measures and gain persistent access to sensitive data. This trend underscores the need for enhanced cybersecurity measures and vigilance within the Web3 and crypto industries to protect against such advanced threats.