A newly identified cyber campaign by the North Korean group Sapphire Sleet poses a significant threat to macOS users. By disguising a malicious file as a Zoom SDK update, this operation aims to steal sensitive information such as passwords, cryptocurrency assets, and other personal data.
Understanding the Threat
Unlike typical attacks that exploit software vulnerabilities, this campaign relies primarily on social engineering tactics. Sapphire Sleet engages potential victims by assuming the role of a job recruiter on professional networks. After gaining trust through career discussions, they schedule a fake technical interview.
The attack escalates when the victim is instructed to download a file named “Zoom SDK Update.scpt.” This file, a compiled AppleScript, opens in the macOS Script Editor app, leading the user to believe it is a legitimate update while malicious code is concealed within.
Technical Details and Impact
Microsoft Threat Intelligence discovered this campaign, noting its unique use of AppleScript as a credential-harvesting tool, a first for Sapphire Sleet. Following this discovery, Microsoft informed Apple, which responded with updates to XProtect signatures and Safari Safe Browsing to thwart infrastructure linked to the attack.
Primarily targeting sectors like cryptocurrency, finance, and blockchain, the malware captures a range of data, including login passwords, Telegram session data, and crypto wallet keys. This information is then compressed and transmitted to servers controlled by the attackers.
Defense and Prevention
The malware circumvents macOS security features, such as Gatekeeper, by initiating execution within a user-initiated context. This highlights the need for greater user awareness and vigilance in recognizing phishing attempts.
Upon opening the lure file, the attack progresses through several command stages, involving the use of legitimate macOS processes to mask its activities. The malware gathers system information and installs components under deceptive names to avoid detection during system reboots.
To protect against such threats, users and organizations should be wary of unexpected requests to run terminal commands during online interactions. Blocking AppleScript files, auditing LaunchDaemon plist entries, and monitoring the TCC database for unauthorized modifications are crucial steps in enhancing security.
It is also essential to keep macOS systems updated to ensure the latest protective measures from Apple are in place, thereby reducing the risk of falling victim to similar campaigns.
