Full Report
SentinelLabs uncovers NimDoor, new North Korea-aligned macOS malware targeting Web3 and crypto firms. Exploits Nim, AppleScript, and steals Keychain, browser, shell, and Telegram data.
Analysis Summary
# Threat Actor: North Korea-aligned group (Unnamed in article)
## Attribution & Identity
The actors are identified as North Korean hackers. Specific group attribution (e.g., Lazarus Group, Andariel) is not provided in this excerpt, only the national alignment.
## Activity Summary
The malicious activity involves the deployment of a new macOS malware named **NimDoor**. This was achieved by leveraging a social engineering lure: distributing the malware via fake Zoom update installers.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Distributing malware disguised as legitimate software updates (fake Zoom updates).
- **Execution/Payload:** The malware leverages **Nim** and **AppleScript**.
- **Credential Theft:** Steals information stored in the macOS **Keychain**.
- **Data Exfiltration:** Targets and steals browser session data.
- No specific MITRE ATT&CK IDs are mentioned in the provided text.
## Targeting
- Sectors: Web3 and cryptocurrency firms.
- Geography: Not specified in the excerpt.
- Victims: Not specifically named, but targets fall within the Web3/crypto industry.
## Tools & Infrastructure
- **Malware families used:** NimDoor (new macOS malware).
- **Infrastructure (C2, domains, IPs):** Not specified in the excerpt.
## Implications
This activity indicates continued interest by North Korean threat actors in targeting high-value financial/technology sectors, specifically the rapidly growing Web3 and cryptocurrency industry, utilizing sophisticated macOS-specific malware.
## Mitigations
- Exercise extreme caution when downloading software updates, even for popular applications like Zoom, and only download from official sources.
- Ensure robust endpoint detection and response (EDR) is in place for macOS systems.
- Implement strong application control policies.
- Regularly audit and secure the macOS Keychain for sensitive credentials.