NimDoor macOS Malware Persists After Termination
▼ Summary
– North Korean hackers are using a new macOS malware called NimDoor to target web3 and cryptocurrency organizations through deceptive tactics like fake Zoom SDK updates.
– The malware employs C++ and Nim-compiled binaries, including ‘GoogIe LLC’ and ‘CoreKitAgent,’ which collect data and establish persistence via macOS LaunchAgents.
– CoreKitAgent uses a signal-based persistence mechanism, reinstalling itself when terminated by catching SIGINT and SIGTERM signals, making it resistant to basic defenses.
– The malware exfiltrates system data and executes remote commands via a hex-encoded AppleScript, while parallel scripts steal browser data, Keychain items, and Telegram messages.
– SentinelLABS highlights the malware’s complexity, modularity, and novel techniques, marking it as some of the most advanced macOS malware linked to North Korean threat actors.
North Korean hackers are deploying sophisticated macOS malware called NimDoor in targeted attacks against cryptocurrency and web3 organizations. This advanced threat employs unique persistence techniques and modular components to evade detection while stealing sensitive data. Security researchers have uncovered its complex infection chain, which begins with social engineering tactics before deploying multiple malicious payloads.
The malware framework, developed using both C++ and the Nim programming language, stands out for its unconventional design choices. One component, labeled ‘installer’, handles initial setup by creating directories and dropping two additional binaries: ‘GoogIe LLC’ and ‘CoreKitAgent’. The former collects system information and establishes persistence through a macOS LaunchAgent, while the latter serves as the primary payload with an event-driven architecture.
What makes CoreKitAgent particularly dangerous is its ability to reinstate itself after termination. By intercepting system signals like SIGINT and SIGTERM, typically used to shut down processes, the malware triggers a self-repair routine. This re-deploys critical components, ensuring the infection persists even if users attempt manual removal. Security analysts note this behavior makes the malware highly resistant to basic defensive measures.
Beyond persistence, CoreKitAgent acts as a backdoor, executing a hex-encoded AppleScript that communicates with attacker-controlled servers every 30 seconds. It exfiltrates system data and runs remote commands, providing hackers with ongoing access. Meanwhile, a secondary script named ‘zoomsdksupport.scpt’ initiates another infection chain involving a trojan that steals browser data, encryption keys, and Telegram messages.
The attackers employ clever obfuscation, such as embedding thousands of blank lines in scripts to hinder analysis. One module, ‘upl’, extracts credentials from browsers, shell histories, and macOS Keychain, while ‘tlgrm’ specifically targets Telegram databases, likely to decrypt private conversations.
This campaign highlights North Korean threat actors’ growing sophistication in cross-platform attacks. The use of signal-based persistence and modular payloads demonstrates their ability to adapt techniques for macOS environments, traditionally considered more secure than Windows. Security teams are advised to monitor for the indicators of compromise detailed in recent reports, particularly in industries handling cryptocurrency assets.
The discovery underscores the importance of vigilance against social engineering lures, as initial infections often stem from fake software updates delivered via email or messaging platforms like Telegram. Organizations should prioritize endpoint protection and user awareness to mitigate such advanced threats.
(Source: Bleeping Computer)
