Full Report
Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics. "Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol,"
Analysis Summary
# Threat Actor: North Korean Threat Actors (NimDoor Campaign / Kimsuky)
## Attribution & Identity
Threat actors with ties to **North Korea** are detailed, specifically mentioning activity tracked under the malware name **NimDoor**. The article also separately discusses the activities of **Kimsuky**, a known cluster of activity attributed to North Korean hacking groups, potentially using overlapping infrastructure or TTPs.
Known Aliases/Related Activity: Kimsuky, BlueNorOff (implied via linked articles).
## Activity Summary
The principal activity described focuses on a campaign targeting **Web3 and cryptocurrency-related businesses** using Nim-based malware called **NimDoor**, specifically targeting **macOS** systems.
The attack chain involves:
1. Social engineering via messaging platforms (Telegram) to schedule a Zoom meeting (using Calendly).
2. Sending an email with a supposed Zoom meeting link and instructions to run a "Zoom SDK update script."
3. Execution of an AppleScript delivery vehicle pulling a second-stage script from a remote server.
4. Unpacking ZIP archives containing binaries for persistence and information stealing.
5. Use of a C++ loader (InjectWithDyldArm64) to inject code for execution.
Separately, **Kimsuky** is highlighted for continuing to use the **ClickFix social engineering tactic** in a campaign dubbed **BabyShark**, targeting national security experts in South Korea with spear-phishing, often leveraging **GitHub** and **Dropbox** for infrastructure.
## Tactics, Techniques & Procedures
- Initial access via **social engineering** (Telegram scheduling, fake Zoom updates).
- Delivery via **AppleScript** acting as a post-exploitation backdoor/delivery vehicle.
- Use of **process injection** in macOS malware.
- Remote communications utilizing **wss (TLS-encrypted WebSocket protocol)**.
- Novel **persistence mechanism** leveraging SIGINT/SIGTERM signal handlers (malware installs persistence upon termination/reboot).
- Use of a **C++ loader (InjectWithDyldArm64)** to decrypt and inject code from embedded binaries (Target and trojan1_arm64).
- Execution of **information stealing bash scripts**.
- **Beaconing** behavior every 30 seconds via AppleScript to C2.
- **Kimsuky TTPs:** Spear-phishing with compressed archives (RAR or LNK files), dropping VBS or PowerShell scripts, utilizing Scheduled Tasks for persistence, and using hard-coded GitHub Personal Access Tokens (PATs) for staging malware and exfiltration.
## Targeting
- **Sectors:** Web3 and cryptocurrency-related businesses. National security experts (Kimsuky-related activity).
- **Geography:** Not explicitly detailed, but the target audience for Kimsuky activity mentioned is **South Korea**.
- **Victims:** Web3/Crypto platforms (NimDoor). National security experts (Kimsuky).
## Tools & Infrastructure
- **Malware Families:** NimDoor (CoreKitAgent, Target, trojan1_arm64), Xeno RAT, MoonPeak (variant of Xeno RAT).
- **Programming Languages:** Nim (prominent for NimDoor), C++, Visual Basic Script (VBS), PowerShell.
- **Infrastructure:**
- Remote servers for fetching second-stage scripts and C2 communications.
- Two hard-coded **command-and-control (C2) servers** reached via AppleScript beaconing.
- **GitHub** (private repositories accessed via hard-coded PATs used for malware staging and exfiltration by Kimsuky).
- **Dropbox** used as a stager in some Kimsuky operations.
## Implications
These North Korean actors demonstrate a continued evolution, specifically targeting the lucrative **Web3/crypto space** and adopting macOS as a target environment. The use of Nim allows for complex code blending, making static analysis challenging. The use of unusual macOS features (wss protocol, signal handler persistence) indicates growing sophistication on that platform. Kimsuky remains highly active, blending supply chain compromise techniques (GitHub PATs) with social engineering.
## Mitigations
- Implement comprehensive endpoint detection and response (EDR) solutions specialized for **macOS environments**.
- Limit the execution of unsigned scripts or scripts initiated by unknown third-party applications (especially AppleScript execution resulting from user interaction).
- **Restrict or monitor outbound WebSocket (wss) traffic** if not organizationally required, as this is noted as an unusual communication channel for macOS malware.
- Harden user security awareness regarding **social engineering tactics** involving software updates (e.g., fake Zoom SDK updates) delivered via messaging apps.
- For Kimsuky activity: Strictly manage permissions for any accounts that interact with private **GitHub repositories** and audit service tokens (PATs).