A North Korean hacking outfit is targeting crypto firms with a new MacOS malware.
BlueNoroff, a North Korean hacking outfit and a sub-entity of the larger Lazarus Group, is reportedly targeting crypto firms with a new MacOS-based malware. The group has been attacking crypto companies since 2019.
A SentinelLabs report revealed all about the outfit’s newest attack vector, which hides within PDFs to takeover victims’ MacOS computers through email phishing methods. “We believe the campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics,” the report mentioned. “We dubbed this campaign ‘Hidden Risk’ and detail its operation and indicators of compromise below, including the use of a novel persistence mechanism abusing the zshenv configuration file.”
Essentially, the PDFs mirror legitimate crypto research reports or are designed to have fake headlines to catch the attention of targets. Some topics the PDFs revolved around included “Hidden Risk Behind New Surge of Bitcoin Price,” “Altcoin Season 2.0-The Hidden Gems to Watch,” and “New Era for Stablecoins and DeFi, CeFi.”
As victims hit download, the malware downloads stealthily in the background. When downloaded, it offers a backdoor to the bad actors to scan devices for sensitive information, like private keys to crypto wallets. The hackers then use those details to empty the contents of target wallets. BlueNoroff launches such attacks against employees of crypto platforms to gain access to the firms’ wallets and walk away with sizeable loot.
Government Agencies Have Repeatedly Alerted Crypto Firms of North Korean Threats
BlueNoroff’s reputation for wreaking havoc against crypto companies has pushed many government organizations, like the US Federal Bureau of Investigations (FBI), to issue warnings. The agency has also warned of the broader Lazarus Group and other hacking entities tied to the North Korean government.
“North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” an FBI warning from September read. “Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets.”
Another such warning was issued back in 2024 when the Cybersecurity and Infrastructure Security Agency urged crypto firms to take adequate measures against North Korean-sanctioned attack vectors. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” the alert read.
