North Korean Hackers Target Macs With Infected Crypto Apps | Here’s How to Protect Yourself
Toggle Dark Mode
North Korean hackers are targeting Mac users with malware hidden in what appear to be harmless macOS apps. The new malware uses sophisticated code to circumvent traditional Mac security checks.
Researchers at Jamf Threat Labs say they have uncovered malware embedded in macOS that’s disguised to appear harmless at first glance. Bad actors are using Google’s popular app-building tool Flutter to create malicious apps that make it past the usual Mac security measures.
Flutter is a popular tool among developers who want to create apps that work across macOS, iOS, and Android. The development tool’s codebase allows developers to build an app once and have it look and work consistently across all three platforms.
Flutter’s unique way of doing things makes it an attractive tool for devs looking for ways to hide their code. A typical Flutter app’s main code (written in a language called Dart) is bundled into a “dylib” file, which is a dynamic library later loaded by Flutter’s engine.
While great for functionality, the code structure obscures the code, making it harder to inspect for malicious bits. Hackers are taking advantage of this obfuscation to hide malicious code.
Due to the complex nature in which Flutter compiles its applications, this dylib is not listed as a shared Library within the primary machO file. While there is nothing inherently malicious about this app architecture, it just happens to provide a good avenue of obfuscation by design.
How Does the Flutter Attack Work?
Jamf Threat Labs found three versions of the malware. Each version is tailored to one of three programming environments: Flutter, Go, and Python. All three used similar methods to contact external servers, which are believed to be under North Korean control, allowing them to execute malicious commands.
The Flutter-based malware focused on an app named “New Updates in Crypto Exchange,” which appeared to be a simple time-waster game. Users installed and played the game without any suspicion.
Hidden inside the game was code designed to connect to a domain linked to North Korean cyber attackers. The hidden functionality allowed the app to download malicious code that could allow the bad actors to control an infected Mac remotely.
A Python variant of the malicious code appeared to be a notepad app. The app also connected to the suspicious North Korean-controlled domain, downloading and executing malicious AppleScripts that allowed the hackers to remotely control the target’s Mac. AppleScript is a scripting tool that allows users to automate tasks and allows apps to communicate with each other.
The malware has the concerning ability to execute remote AppleScript commands, which it uses to control the device, capture data from the infected machine, and download and install additional malicious code.
Jamf Threat Labs says there is no indication the apps have been used in an attack in the wild, as the malware appears to be in a testing phase. North Korea traditionally targets the financial industry through malware attacks, so cryptocurrency users and companies could be the intended targets.
How Mac Users Can Protect Against Flutter Malware
First, download and install cryptocurrency apps with great caution. Hackers often target cryptocurrency traders with fake versions of established apps.
Mac users should stick to downloading and installing apps from the official Mac App Store, as those apps are reviewed and inspected for malware like this. While no screening process can catch 100% of the malware that attempts to slip through, the App Store screening process greatly reduces the risk of installing malicious apps.
By default, macOS only allows users to install apps from the App Store and identified developers. The setting can be changed in the “Privacy & Security” section in the Settings app.
Mac users are also advised to keep their macOS operating system and installed apps up to date, as these updates often include security patches to help block attacks such as the “Flutter” scheme.
