www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
URL:
https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/
Submission Tags: @nominet_threat_intel rnt-timestamp reference_article_link confidence_low cluster_4111879 Search All
Submission: On November 15 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel rnt-timestamp reference_article_link confidence_low cluster_4111879 Search All
Submission: On November 15 via api from GB — Scanned from GB
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>"
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" style="" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>"
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" style="" width="18" height="16">
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
*
*
ABOUT
CVE DATABASE
CONTACT
VISIT SENTINELONE.COM
Advanced Persistent Threat
BLUENOROFF HIDDEN RISK | THREAT ACTOR TARGETS MACS WITH FAKE CRYPTO NEWS AND
NOVEL PERSISTENCE
Raffaele Sabato, Phil Stokes & Tom Hegel / November 7, 2024
EXECUTIVE SUMMARY
* SentinelLabs has observed a suspected DPRK threat actor targeting
Crypto-related businesses with novel multi-stage malware.
* We assess with high confidence that the same actor is responsible for earlier
attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket
campaigns.
* SentinelLabs observed the use of a novel persistence mechanism abusing the
Zsh configuration file zshenv.
* The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake
news about cryptocurrency trends to infect targets via a malicious
application disguised as a PDF file.
OVERVIEW
Cryptocurrency-related businesses have been targets of North Korean-affiliated
threat actors for some time now, with multiple campaigns aiming to steal funds
and/or insert backdoor malware into targets. In April 2023, researchers detailed
an APT campaign targeting macOS users with multi-stage malware that culminated
in a Rust backdoor capable of downloading and executing further malware on
infected devices. ‘RustBucket’, as they labeled it, was attributed with strong
confidence to the BlueNoroff APT. In May 2023, ESET researchers discovered a
second RustBucket variant targeting macOS users, followed by Elastic’s discovery
in July that year of a third variant that included a LaunchAgent for
persistence. In November 2023, Elastic also reported on another DPRK campaign
targeting blockchain engineers of a crypto exchange platform with KandyKorn
malware. Further analysis by SentinelLabs was able to connect the KandyKorn and
RustBucket campaigns.
In early September 2024, the FBI began warning that North Korea was conducting
“highly tailored, difficult-to-detect social engineering campaigns against
employees of decentralized finance (“DeFi”), cryptocurrency, and similar
businesses to deploy malware and steal company cryptocurrency”. Researchers from
Jamf subsequently followed up on this report a few weeks later detailing an
attack attempt that deployed malware masquerading as a Visual Studio updater.
In October 2024, SentinelLabs observed a phishing attempt on a crypto-related
industry that delivered a dropper application and a payload bearing many of the
hallmarks of these previous attacks. We believe the campaign likely began as
early as July 2024 and uses email and PDF lures with fake news headlines or
stories about crypto-related topics. We dubbed this campaign ‘Hidden Risk’ and
detail its operation and indicators of compromise below, including the use of a
novel persistence mechanism abusing the zshenv configuration file.
INFECTION VECTOR
Initial infection is achieved via phishing email containing a link to a
malicious application. The application is disguised as a link to a PDF document
relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of
Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for
Stablecoins and DeFi, CeFi”.
The emails hijack the name of a real person in an unrelated industry as a sender
and purport to be forwarding a message from a well-known crypto social media
influencer. In the case of the ‘Hidden Risk’ pdf, the threat actors copied a
genuine research paper entitled ‘Bitcoin ETF: Opportunities and risk’ by an
academic associated with the University of Texas and hosted online by the
International Journal of Science and Research Archive (IJSRA).
The fake PDF displayed to targets (left) and the original source document hosted
online (right)
Unlike earlier campaigns attributed to BlueNoroff, the Hidden Risk campaign uses
an unsophisticated phishing email that does not engage the recipient with
contextually-relevant content, such as reference to personal or work-related
information.
Also of note is that the sender domain in our observed incident,
kalpadvisory[.]com, has been noted for spamming among online communities
involved in the Indian stock market.
Social media users complain about spam calls from Kalp Advisory
The ‘open’ link in the phishing email hides a URL to another domain,
delphidigital[.]org. The full URL currently serves a benign form of the Bitcoin
ETF document with titles that differ over time. However, at some point, this URL
has or does switch to serving the first stage of a malicious application bundle
entitled ‘Hidden Risk Behind New Surge of Bitcoin Price.app’
(3f17c5a7d1e7fd138163d8039e614b8a967a56cb).
Application icon for the Stage 1 dropper
FIRST STAGE | “BAIT AND SWITCH” DROPPER APPLICATION REPLACES PDF
The first stage is a Mac application written in Swift displaying the same name
as the expected PDF, “Hidden Risk Behind New Surge of Bitcoin Price.app”. The
application bundle has the bundle identifier Education.LessonOne and contains a
universal architecture (i.e., arm64 and x86-64) Mach-O executable named
LessonOne.
The application bundle was signed and notarized on 19 October, 2024 with the
Apple Developer ID “Avantis Regtech Private Limited (2S8XHJ7948)”. The signature
has since been revoked by Apple.
Code signing details for the Hidden Risk Behind New Surge of Bitcoin Price.app
On launch, the application downloads the decoy “Hidden Risk” pdf file from a
Google Drive share and opens it using the default macOS PDF viewer (typically
Preview). Similar TTPs were previously reported by researchers at Kandji in
August. The PDF is written into a temporary file before being moved to
/Users/Shared using NSFileManager’s moveItemAtURL:toURL:error method.
The malware then downloads and executes a malicious x86-64 binary sourced from
matuaner[.]com via a URL hard-coded into the Stage 1 binary. Since by default
macOS won’t allow an application to download from an insecure HTTP protocol, the
application’s Info.plist specifies this domain in the dictionary for its
NSAppTransportSecurity key and sets the NSExceptionAllowsInsecureHTTPLoads value
to “true”.
The Stage 1’s Info.plist adds the C2 domain as an exception for Apple’s App
Transport Security settings
The Info.plist also indicates that the application was built on a macOS 14.2
Sonoma machine but will run on both Intel and Apple silicon Macs with macOS 12
Monterey or later.
SECOND STAGE | ‘GROWTH’ X86-64 MACH-O BACKDOOR
The malicious binary downloaded by the first stage dropper is a single
architecture Mach-O x86-64 executable
(7e07765bf8ee2d0b2233039623016d6dfb610a6d), meaning that although the parent
dropper will execute on both Intel and Apple silicon machines, the Stage 2 will
only run on Intel architecture Macs or Apple silicon devices with the Rosetta
emulation framework installed. The binary, written in C++, has the name
‘growth’, weighs in at around 5.1 MB and is not code signed at all (SentinelLabs
was able to share the file for researchers here).
The executable contains a number of identifiable functions, which we outline
below, with the overall objective being to act as a backdoor to execute remote
commands.
Some interesting functions in the ‘growth’ binary
On execution, the ‘growth’ binary performs the following actions.
1. Calls the sym.install_char__char_ function to install persistence. We
discuss this in the next section.
2. Runs several commands to gather environmental information from the host and
generate a random UUID of length 16. These commands include sw_vers
ProductVersion, sysctl hw.model and sysctl kern.boottime.
3. Calculates the current date and time and performs ps aux to list running
processes.
4. Sends the string “ci”, the random UUID and the gathered host data to a
remote server using the DoPost function and awaits the C2 response.
5. Uses the ProcessRequest function to parse the response. If the first byte in
the response is 0x31, it sends the string “cs”, the random UUID and the
value -1 using DoPost and exits. If the first byte in the response is 0x30,
it executes the SaveAndExec function, sends the string “cs”, the random UUID
and the value 0 using DoPost. The SaveAndExec function reads the C2
response, parses it, saves it into a random, hidden file at
/Users/Shared/.XXXXXX, and executes it.
The ProcessRequest function parses the C2 response
6. Sleeps for 60 seconds and starts the flow again from step 3.
The DoPost function is used to make the HTTP Post request to the C2 using
libcurl. The first argument is the C2 URL, the second argument is the data sent
in the body of the POST request, and the third argument is the data pointer
passed to the write callback.
The DoPost function constructs and sends the HTTP request
We have previously noted that this same User-Agent string, mozilla/4.0
(compatible; msie 8.0; windows nt 5.1; trident/4.0), appeared in RustBucket
malware in 2023. The User-Agent string also uses cur1-agent (using a 1 in place
of the l in “curl”) as reported by Elastic, a fairly unique indicator we have
not observed elsewhere.
We also see similarities in the way that earlier malware parsed the response
from the C2, essentially comparing one of two values as decision logic between
awaiting further response, exiting or reading and writing a remote command to
file. The ProcessRequest function used for this purpose was also the name of an
ObjCShellz payload observed in a previous campaign.
The SaveAndExec function is responsible for executing any commands received from
the C2. This function takes two parameters, the payload received and the length
of the payload. The function parses the malicious payload and calculates indices
related to the presence of the characters “#” and the “:”, receiving data from
the C2 in the form 0#\0:command.
SaveAndExec function parses the received script for embedded commands
Based on the calculated indices, it creates a random file name of length 6 and
writes the received command as a hidden file to /Users/Shared/.%s. It then uses
chmod 0x777 to set the permissions of the file to world read, write and execute,
and finally executes it via popen.
The SaveAndExec function changes the file’s permissions and then executes it
PERSISTENCE VIA ZSHENV
The backdoor’s operation is functionally similar to previous malware attributed
to this threat actor, but what makes it especially interesting is the
persistence mechanism, which abuses the Zshenv configuration file.
Zshenv is one of several optional configuration files used by the Zsh shell. At
the user level, it sits as a hidden file in the Home directory, ~/.zshenv. A
system wide version can also be located at /etc/zshenv. If it exists, the file
is sourced for all Zsh sessions, including interactive and non-interactive
shells, non-login shells and scripts. It is also read before all other Zsh
startup files.
Interestingly, previous malware samples used by the same threat actor have
referenced zsh_env in their naming convention, but not actually used the
mechanism. In an earlier campaign, BlueNoroff used the ~/.zshrc config file to
achieve persistence. However, this is a less reliable form of persistence since
the file is only sourced when a user launches an interactive Terminal session or
subsession from an existing console.
Infecting the host with a malicious Zshenv file allows for a more powerful form
of persistence. While this technique is not unknown, it is the first time we
have observed it used in the wild by malware authors. It has particular value on
modern versions of macOS since Apple introduced user notifications for
background Login Items as of macOS 13 Ventura. Apple’s notification aims to warn
users when a persistence method is installed, particularly oft-abused
LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a
notification in current versions of macOS.
In the binary, installation of the persistence mechanism is handled by the
sym.install_char__char_ function. The mechanism checks for a hidden touch file
(zero byte) in the /tmp/ folder called .zsh_init_success. If the file does not
exist, then the ‘growth’ binary is called and the touch file is created.
Contents of the malicious ~/.zshenv, executed for every Zsh session
NETWORK INFRASTRUCTURE
Analysis of the actor operated and controlled network infrastructure associated
with the Hidden Risk campaign further corroborates our confidence in attribution
to DPRK’s BlueNoroff threat actor. Additionally, infrastructure analysis
provides new insight into an extensive cluster of activity over the last year
plus, and provides further links to industry reporting mentioned above, and
others in the community.
Over recent months, the actor has built a network of connected infrastructure
often themed around their cryptocurrency interests, methods of delivering
malware lures, and mimicking legitimate Web3, cryptocurrency, fintech, and
investment organizations to appear legitimate. NameCheap is the predominant
domain registrar being abused. Virtual server hosting services such as
Quickpacket, Routerhosting, Hostwinds, and others are the most commonly used
based on our observations.
Various methods of pivoting across network infrastructures and services can be
used to connect the Hidden Risk campaign to domains themed around the following
organizations, indicating the actors interest in potential targeting and
spoofing for targeting on other organizations.
Cryptocurrency Technologies Delphi Digital, Solana Labs, Douro Labs, bitsCrunch,
Caladan Investment and Capital Entities Maelstrom Fund, Selini Capital, Flori
Ventures, ARK Invest, Long Journey Ventures Generic IT/Communication Virtual
Meetings (Zoom, generic), Software Updates (macOS, browsers, generic)
When examining the infrastructure of the campaign detailed above in
infrastructure analysis tools such as Validin, we can identify clear relations
between the initial stage 1 delivery domain (matuaner[.]com) and the IPs
45.61.135[.]105 and 172.86.108[.]47. These two IPs, in combination with an
overlapping certificate use, link to a variety of domains that open the door to
the larger and longer running history of BlueNoroff activity (green lines), and
additional lesser confidence infrastructure to explore further (orange dotted
lines).
Pivoting from sample delivery to initial set of infrastructure
Additional valuable pivoting can be achieved by analyzing attributes like DNS
TXT records linked to domains that the actor may be using for phishing email
delivery. For instance, we’ve observed the actor abusing email marketing
automation tools, such as Brevo, where they go so far as to verify domain
ownership to meet email authentication standards—an effort to bypass spam and
phishing detection filters.
Pivoting initial infrastructure to wider set, though DNS TXT Records
Beyond direct pivoting based on infrastructure and overlapping response data, we
also identified additional domains registered using similar methods that reflect
previous organization naming themes across various top level domains (TLDs),
though these domains have not yet been linked to any known actor activity. For
instance, by analyzing bulk domain search datasets, we found related but
non-pivotable domains based on “Selini Capital,” such as
selinicapital[.]network. This approach has proven effective in uncovering
additional BlueNoroff domains linked to the Hidden Risk activity cluster.
Example Regular Expression: /s+e+l+i+n+i+c+a+p+i+t+a+l+\.[a-z0-9-]+/
Bulk domain scanning, past 180 days, showing registration summary
The extensive collection of BlueNoroff infrastructure we’ve gathered over the
years, recently expanded through the latest Hidden Risk campaign activity,
prevents us from detailing every unique pivoting method as this actor continues
to evolve. As with all quality threat intelligence, our goal is to aid defenders
while carefully managing the exposure of our tracking techniques to the actor.
However, we are sharing a broader set of associated infrastructure in the
Indicator of Compromise section below.
CONCLUSION
Over the last 12 months or so, North Korean cyber actors have engaged in a
series of campaigns against crypto-related industries, many of which involved
extensive ‘grooming’ of targets via social media. We observe that the Hidden
Risk campaign diverts from this strategy taking a more traditional and cruder,
though not necessarily any less effective, email phishing approach. Despite the
bluntness of the initial infection method, other hallmarks of previous
DPRK-backed campaigns are evident, both in terms of observed malware artifacts
and associated network infrastructure, as discussed extensively throughout this
post.
We might speculate that heightened attention on previous DRPK campaigns could
have reduced the effectiveness of previous ‘social media grooming’ attempts,
perhaps as a result of intended targets in DeFi, ETF and other crypto-related
industries becoming more wary, but it is equally likely that such state-backed
threat actors have sufficient resources to pursue multiple strategies
simultaneously.
One factor that is relatively consistent throughout many of these campaigns is
that the threat actors are seemingly able to acquire or hijack valid Apple
‘identified developer’ accounts at will, have their malware notarized by Apple,
and bypass macOS Gatekeeper and other built-in Apple security technologies. In
light of this and the general increase in macOS crimeware observed across the
security industry, we encourage all macOS users, but particularly those in
organizational settings, to harden their security and increase their awareness
of potential risks.
INDICATORS OF COMPROMISE
SHA1 Function File Arch 05c178891ca1e65af53bbcfdbec573da3f74d176 Dropper Macho
arm64 3f17c5a7d1e7fd138163d8039e614b8a967a56cb Dropper App Universal
7e07765bf8ee2d0b2233039623016d6dfb610a6d Backdoor Macho x86_64
baf4da6b89b7d7cbf24c9deef5984ef9dfd52e6a Dropper Macho Universal
e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb Dropper Macho x86_64
IP Addresses
23[.]254.253[.]75
45[.]61.128[.]122
45[.]61.135[.]105
45[.]61.140[.]26
139[.]99.66[.]103
144[.]172.74[.]23
144[.]172.74[.]141
172[.]86.102[.]98
172[.]86.108[.]47
216[.]107.136[.]10
Domains
analysis.arkinvst[.]com
appleaccess[.]pro
arkinvst[.]com
atajerefoods[.]com
buy2x[.]com
calendly[.]caladan[.]video
cardiagnostic[.]net
cmt[.]ventures
community.edwardcaputo[.]shop
community.kevinaraujo[.]shop
community.selincapital[.]com
community.selincapital[.]com
customer-app[.]xyz
delphidigital[.]org
doc.solanalab[.]org
dourolab[.]xyz
drogueriasanjose[.]net
edwardcaputo[.]shop
email.sellinicapital[.]com
evalaskatours[.]com
happyz[.]one
hwsrv-1225327.hostwindsdns[.]com
info.ankanimatoka[.]com
info.customer-app[.]xyz
kevinaraujo[.]shop
maelstromfund[.]org
maelstroms[.]fund
matuaner[.]com
mbupdate.linkpc[.]net
mc.tvdhoenn[.]net
meet.caladan[.]video
meet.caladangroup[.]xyz
meet.hananetwork[.]video
meet.selinicapital[.]info
meet.selinicapital[.]online
meet.selinicapital[.]xyz
meet.sellinicapital[.]com
meeting.sellinicapital[.]com
meeting.zoom-client[.]com
mg21.1056[.]uk
nodnote.com
online.selinicapital[.]info
online.zoom-client[.]com
panda95sg[.]asia
pixelmonmmo[.]net
presentations[.]life
selincapital[.]com
selinicapital[.]info
selinicapital[.]network
selinicapital[.]online
sellinicapital[.]com
sendmailed[.]com
sendmailer[.]org
shh5.baranftw[.]xyz
tvdhoenn[.]net
verify.selinicapital[.]info
versionupdate.dns[.]army
www.buy2x[.]com
www.delphidigital[.]org
www.frameworks[.]ventures
www.happyz[.]one
www.huspot[.]blog
www.maelstromfund[.]org
www.panda95sg[.]asia
www.prismlab[.]xyz
www.sellinicapital[.]com
www.sendmailed[.]com
www.sendmailer[.]org
www.yoannturp[.]xyz
xu10.1056[.]uk
zoom-client[.]com
DPRK
SHARE
PDF
RAFFAELE SABATO
Raffaele Sabato is a Senior Detection Engineer at SentinelOne, specializing in
macOS malware and application exploitation. He began his journey into Apple
security as an offensive security consultant, performing vulnerability research
with a focus on macOS and iOS applications. His skills include reverse
engineering, vulnerability hunting, and malware analysis. His research includes
studying novel attack vectors and developing new detection methods.
PHIL STOKES
Phil Stokes is a Threat Researcher at SentinelOne, specializing in macOS threat
intelligence, platform vulnerabilities and malware analysis. He began his
journey into macOS security as a software developer, creating end user
troubleshooting and security tools just at the time when macOS adware and
commodity malware first began appearing on the platform. Phil has been closely
following the development of macOS threats as well as researching Mac software
and OS vulnerabilities since 2014.
TOM HEGEL
Tom Hegel is a Principal Threat Researcher with SentinelOne. He comes from a
background of detection and analysis of malicious actors, malware, and global
events with an application to the cyber domain. His past research has focused on
threats impacting individuals and organizations across the world, primarily
targeted attackers.
Prev
CLOUD MALWARE | A THREAT HUNTER’S GUIDE TO ANALYSIS, TECHNIQUES AND DELIVERY
RELATED POSTS
CHAMELGANG & FRIENDS | CYBERESPIONAGE GROUPS ATTACKING CRITICAL INFRASTRUCTURE
WITH RANSOMWARE
June 26 2024
UNMASKING I-SOON | THE LEAK THAT REVEALED CHINA’S CYBER OPERATIONS
February 21 2024
SCARCRUFT | ATTACKERS GATHER STRATEGIC INTELLIGENCE AND TARGET CYBERSECURITY
PROFESSIONALS
January 22 2024
SEARCH
Search ...
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
RECENT POSTS
* Cloud Malware | A Threat Hunter’s Guide to Analysis, Techniques and Delivery
October 24, 2024
* China’s Influence Ops | Twisting Tales of Volt Typhoon at Home and Abroad
October 16, 2024
* Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
September 23, 2024
LABS CATEGORIES
* Crimeware
* Security Research
* Advanced Persistent Threat
* Adversary
* LABScon
* Security & Intelligence
SENTINELLABS
In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.
RECENT POSTS
* Cloud Malware | A Threat Hunter’s Guide to Analysis, Techniques and Delivery
October 24, 2024
* China’s Influence Ops | Twisting Tales of Volt Typhoon at Home and Abroad
October 16, 2024
* Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
September 23, 2024
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
* Twitter
* LinkedIn
©2024 SentinelOne, All Rights Reserved.
We'd like to show you notifications for the latest news and updates.
AllowCancel
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Accept All Cookies
Reject All
Cookies Settings
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices