Cybersecurity researchers have uncovered a sophisticated new malware campaign targeting cryptocurrency businesses, attributed to the North Korean hacking group BlueNoroff. The malware, dubbed “Hidden Risk” by researchers at SentinelLabs, specifically targets macOS systems and employs a multi-stage infection process involving decoy PDF documents.
According to a recent report from SentinelLabs, the attack begins with phishing emails disseminating fabricated news stories about cryptocurrency trends. These emails contain malicious attachments disguised as legitimate PDF files. When a user downloads and opens the PDF, a separate malware file is surreptitiously downloaded onto their desktop in the background. This file then grants the attackers remote access to the victim’s computer, enabling them to steal private keys and potentially other sensitive information.
The report highlights the advanced nature of the malware, noting a novel persistence mechanism that abuses the Zsh configuration file, zshenv. This allows the malware to remain active even after the computer is restarted, giving attackers continued access to the compromised system.
SentinelLabs assesses with “high confidence” that the same actor behind “Hidden Risk” is responsible for previous attacks attributed to BlueNoroff, including the RustDoor/ThiefBucket and RustBucket campaigns. This suggests a continuing evolution in the group’s tactics and techniques, specifically targeting the lucrative cryptocurrency industry.
The discovery of “Hidden Risk” underscores the increasing sophistication of North Korean cyber operations and the ongoing threat they pose to cryptocurrency businesses and individuals. MacOS users, often perceived as less vulnerable to malware than Windows users, are particularly at risk in this campaign. Users are urged to exercise extreme caution when opening email attachments, especially those related to cryptocurrency, and to ensure their systems are running up-to-date security software. Further investigation into the “Hidden Risk” campaign is ongoing, and security researchers are working to identify and mitigate the threat.