Full Report
Social engineering: 'low-cost, hard to patch, and scales well' North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…
Analysis Summary
# Threat Actor: Sapphire Sleet
## Attribution & Identity
* **Name/Alias:** Sapphire Sleet
* **Aliases:** APT38, BlueNoroff (associated "Pyongyang-backed crew")
* **Known Associations:** North Korean state-sponsored actor; specifically an offshoot involved in financial cybercrime.
## Activity Summary
The actor is currently conducting a sophisticated macOS-focused campaign utilizing social engineering to deliver multi-stage malware. Using LinkedIn and other social platforms, they pose as recruiters offering job opportunities to professionals. They schedule "technical interviews" that require the victim to download a fake Zoom SDK update, leading to a cascading infection chain designed to exfiltrate cryptocurrency and credentials.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses "low-cost, high-scale" lures including phony job opportunities and fake technical interview requests on LinkedIn.
* **Phishing/Lure Delivery:** Sends malicious AppleScript files disguised as "Zoom SDK Update.scpt" via meeting invites.
* **Obfuscation:** Inserts thousands of blank lines in scripts to hide malicious logic from the victim's view in Script Editor.
* **Living off the Land (LotL):**
* Abuses the legitimate macOS `softwareupdate` binary to appear trusted.
* Uses `curl` to fetch subsequent payloads.
* Uses `osascript` to execute AppleScript payloads.
* **Credential Harvesting:** Deploys a malicious application (`systemupdate.app`) that triggers a fake native macOS password dialog to steal system credentials.
* **Data Exfiltration:** Utilizes the Telegram Bot API for data exfiltration.
* **Persistence & Evasion:** Mimics Apple naming conventions (e.g., `com.apple.cli`) and uses the `NSCreateObjectFileImageFromMemory` API to load payloads directly into memory, bypassing disk-based detection.
* **Bypassing Protections:** Specifically targets macOS TCC (Transparency, Consent, and Control) protections.
## Targeting
* **Sectors:** Finance, Cryptocurrency trading, Blockchain platforms.
* **Geography:** Global (targeting Apple/macOS users).
* **Victims:** Finance professionals and developers (previously identified targeting open-source maintainers, e.g., Topaz).
## Tools & Infrastructure
* **Malware Families:**
* **icloudz:** A backdoor named to mimic legitimate iCloud artifacts.
* **com.apple.cli:** A 5 MB Mach-O executable used for host monitoring.
* **systemupdate.app:** A credential stealer masquerading as a system utility.
* **Infrastructure:**
* **C2:** Attacker-controlled domains used for dynamic script fetching.
* **Exfiltration:** Telegram Bot API.
* **LinkedIn/Social Media:** Used for initial contact and lure delivery.
## Implications
Sapphire Sleet continues to evolve its macOS toolset, demonstrating that North Korean actors are increasingly proficient in bypassing non-Windows security controls. Their shift toward "human-as-a-vulnerability" social engineering allows them to bypass hardened perimeters. The focus on intellectual property and cryptocurrency suggests a strategic mandate to generate revenue for the North Korean regime.
## Mitigations
* **User Training:** Educate employees to be skeptical of unsolicited job offers on LinkedIn or requests to install software for "interviews."
* **Technical Controls:**
* Ensure macOS **XProtect** and **Safe Browsing** are enabled and updated.
* Restrict the ability of users to run unapproved AppleScripts or commands shared via chat/messages.
* **Policy:** Implement strict "no-remote-support/tool" policies for interview candidates unless vetted by IT/Security teams.
* **Monitoring:** Track unusual `curl` activity originating from `Script Editor` or `osascript` processes, particularly those involving unique User-Agent strings.