Cyber Blog

Hackers linked to North Korea (DPRK) have been embedding malware within Flutter applications to infect Apple macOS systems, a tactic they’ve not used previously. Jamf Threat Labs identified this novel approach after finding Flutter-based malware samples on the VirusTotal platform earlier this month. These samples are part of a broader North Korean campaign, which includes malware written in Golang and Python.

Although it’s unclear how the malware samples reach their targets, North Korean threat actors frequently employ sophisticated social engineering tactics aimed at cryptocurrency and decentralized finance (DeFi) employees.

Jamf’s Jaron Bradley suspects these malware examples might be in testing stages, explaining that it’s possible they haven’t been widely distributed yet. However, North Korean attackers have previously had success with social engineering, suggesting they may use similar methods with this new malware.

Jamf has not directly linked this attack to a specific DPRK hacking group but noted possible ties to the Lazarus subgroup, BlueNoroff, due to shared infrastructure with previously identified malware like KANDYKORN and the Hidden Risk campaign, recently spotlighted by SentinelOne.

This new malware stands out by using Flutter, a cross-platform development framework, to embed its malicious code in Dart. Disguised as a Minesweeper game titled “New Updates in Crypto Exchange (2024-08-28),” the app appears legitimate but is designed to deliver malware.

The game itself mimics a basic iOS Flutter game found on GitHub. Using game-themed lures aligns with tactics of another North Korean group, Moonstone Sleet, which has previously used similar approaches.

The hackers have signed these malicious apps with Apple developer IDs belonging to legitimate organizations like the Baltimore Jewish Council and Fairbanks Curling Club, enabling them to pass Apple’s notarization process. Apple has since revoked these signatures.

Once the malware is launched, it communicates with a remote server (“mbupdate.linkpc[.]net”) and executes AppleScript commands received from the server, which are encoded backwards to evade detection.

Jamf also identified related malware variants built in Go and Python, including applications like “NewEra for Stablecoins and DeFi,” which are designed to execute AppleScript payloads received from a command-and-control server.

This discovery highlights North Korean threat actors’ ongoing efforts to infiltrate cryptocurrency companies by using varied programming languages and malware tactics to avoid detection. Bradley noted that the attackers frequently alter their malware to evade detection, and in the case of Flutter, they likely chose this framework for its obfuscating properties once compiled.