Full Report
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations. [...]
Analysis Summary
# Threat Actor: NimDoor Malware Operators (Attributed to North Korean Actors)
## Attribution & Identity
The malware family analyzed, NimDoor, is linked to North Korean threat actors (DPRK operators). The analysis focuses on the capabilities of the NimDoor framework and associated backdoors.
## Activity Summary
The activity centers on the NimDoor crypto-theft macOS malware. It exhibits novel persistence mechanisms, allowing it to "revive itself when killed." The malware utilizes a modular framework designed to steal cryptocurrency and sensitive information from infected macOS systems. Specific operations involved an injection chain triggered by a loader (e.g., 'zoom\_sdk\_support.scpt'), leading to C2 communication and subsequent script execution for data exfiltration.
## Tactics, Techniques & Procedures
- **Persistence/Evasion:** Utilizes signal-based persistence, allowing the malware to revive itself after being terminated.
- **Obfuscation:** Loaders (like `zoom_sdk_support.scpt`) employ significant obfuscation, observed through the inclusion of over 10,000 blank lines.
- **Process Injection:** An initial payload trigger (`t_`) initiates a second injection chain using `_trojan1_arm64_`.
- **Data Staging/Exfiltration:** Uses specific scripts (`upl` and `tlgrm`) to harvest data.
- **Command and Control (C2):** Employs WebSocket Secure (WSS) for C2 communications.
- **Data Theft:** Extraction of session keys specific to cryptocurrency theft, browser data, and sensitive files like Keychain access and shell history files (`.bash_history`, `.zsh_history`).
## Targeting
- Sectors: Primarily focused on cryptocurrency theft and sensitive information targets.
- Geography: Not explicitly detailed in the provided context, but linked to North Korean threat actors.
- Victims: Users running macOS. Specific organizations were not named, but the focus suggests targets that hold cryptocurrency or sensitive credentials (e.g., via Keychain theft).
## Tools & Infrastructure
- **Malware Families used:** NimDoor framework, `_trojan1_arm64_`, `upl` script, `tlgrm` script.
- **Infrastructure (C2, domains, IPs):**
- C2 Protocol: WSS (WebSocket Secure)
- Exfiltration Domain: `dataupload[.]store`
## Implications
NimDoor represents a significant evolution in macOS malware, showcasing high modularity and the use of sophisticated, novel persistence techniques (signal-based revival). The toolkit indicates that DPRK actors are actively developing advanced, cross-platform capabilities, particularly focused on high-value targets involved in cryptocurrency.
## Mitigations
- Implement enhanced monitoring for unusual process resurrection attempts on macOS endpoints.
- Scrutinize WSS connections originating from managed endpoints, especially those destined for novel external domains.
- Review security controls to detect excessive obfuscation in legitimate-looking script files (e.g., scripts containing thousands of blank lines).
- Ensure robust defenses against credential and session theft targeting macOS-native storage like Keychain.