Full Report
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff/UNC1069).
Analysis Summary
# Threat Actor: Sapphire Sleet
## Attribution & Identity
* **Name:** Sapphire Sleet
* **Aliases:** BlueNoroff, UNC1069
* **Identity:** North Korean state-sponsored threat group.
* **Associations:** Part of the broader Lazarus Group ecosystem, specifically focused on financial gain and cryptocurrency theft.
## Activity Summary
The actor is currently conducting a multi-stage macOS intrusion campaign. The operation utilizes social engineering, posing as recruiters or business partners on platforms like LinkedIn and Telegram. Victims are tricked into running a malicious AppleScript disguised as a Zoom SDK update, which facilitates the delivery of secondary payloads and the theft of cryptocurrency and sensitive credentials.
## Tactics, Techniques & Procedures
* **Initial Access:** Social Engineering; user-assisted execution of malicious AppleScript (Zoom SDK Update.scpt).
* **Execution:** Use of native macOS tools: `Script Editor`, `osascript`, and `curl`.
* **Obfuscation:** High-volume whitespace padding in scripts to hide malicious code from visual inspection.
* **Credential Access:** Deployment of a fake Objective-C password prompt (Mac Password Popup) to harvest login credentials. [T1552]
* **Persistence:** Establishing a LaunchDaemon at `/Library/LaunchDaemons/com.google.webkit.service.plist`. [T1543.001]
* **Defense Evasion (TCC Abuse):** Using `sqlite3` to manipulate the Transparency, Consent, and Control (TCC.db) database via the Finder application to grant full automation permissions to `osascript`. [T1548]
* **Memory Injection:** Use of `NSCreateObjectFileImageFromMemory` to reflectively load the core beacon agent directly into memory. [T1620]
* **Exfiltration:** Data staging in `.zip` archives within `/tmp/` and exfiltration via `curl`. [T1048]
## Targeting
* **Sectors:** Financial Services, Venture Capital, Web3 development, and Cryptocurrency organizations.
* **Geography:** Global (focused on high-value crypto/tech hubs).
* **Victims:** Individuals in crypto investment and Web3 spaces.
## Tools & Infrastructure
* **Malware Families:**
* `systemupdate.app` (Credential harvester)
* `icloudz` (Backdoor/Loader)
* `com.google.chromes.updaters` (Memory-resident beacon)
* **Infrastructure:**
* **C2/Exfiltration:** 104.145.210[.]107:6783
* **Alternative Port:** 8443
* **User-Agents:** `mac-cur1` through `mac-cur5`
## Implications
Sapphire Sleet has demonstrated a significant evolution in macOS tradecraft, shifting from basic macros to sophisticated "living-off-the-land" techniques that abuse built-in system trust (like Finder's permissions). Their ability to bypass TCC protections and execute reflectively in memory poses a high risk to organizations relying solely on traditional signature-based security alerts.
## Mitigations
* **System Hardening:** Implement MDM profiles to restrict the execution of unsigned AppleScripts and suspicious `.scpt` files.
* **Monitor Native Binaries:** Audit and alert on suspicious parent-child process relationships, specifically those involving `Script Editor` spawning `curl` or `osascript`.
* **TCC Privacy Monitoring:** Monitor for unauthorized modifications to `TCC.db`, especially by processes other than standard system installers.
* **Network Defense:** Block outbound traffic to known C2 indicators and monitor for unusual high-port transfers (e.g., 6783, 8443) using `curl`.
* **User Awareness:** Educate employees in financial/Web3 roles about "recruiter" scams on social media and the risks of downloading meeting software components from unofficial links.