SentinelLabs has issued a report about a new malware that targets Mac users of blockchain technologies.
The report is quite technical, but part of it notes that Democratic People’s Republic of Korea (DPRK) threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors. A threat actor is any individual or group that intentionally tries to harm digital systems, networks, or data. They can be individuals, organizations, or even nation-states, and their motives vary from financial gain to political or social goals. Essentially, anyone who uses their skills or resources to carry out malicious cyber activities is considered a threat actor.
What’s more, bash scripts are used to exfiltrate Keychain credentials, browser data and Telegram user data. A bash script is a plain text file containing a sequence of commands that are executed by the Bash shell,. Bash (Bourne Again SHell) is a command-line interpreter used primarily on Unix-like operating systems like Linux and macOS.
Telegram, also known as Telegram Messenger, is a cloud-based, cross-platform, social media and instant messaging service. It allows users to exchange messages, share media and files, and hold private and group voice or video calls as well as public livestreams.
As noted by Macworld, given the nature of the attack, most Mac users aren’t targets. However, the SentinelLabs report points out that the use of Nim-based software in conjunction with AppleScript is a relatively new development.
Nim is a general-purpose, multi-paradigm, statically typed, compiled high-level system programming language, This combination helps the malware avoid detection and could be eventually used in a wider attack.
