macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Executive Summary

DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.

Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via WSS, the TLS-encrypted version of the WebSocket protocol.

A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system is rebooted.

The threat actors deploy AppleScripts widely, both to gain initial access and later in the attack chain to function as lightweight beacons and backdoors.

Bash scripts are used to exfiltrate Keychain credentials, browser data, and Telegram user data.

SentinelLABS’ analysis highlights novel TTPs and malware artifacts that tie together previously reported components, extending our understanding of the threat actors’ evolving playbook.

To read the complete article see: Sentinel One