Campaign delivers modular, persistent, Mac-specific malware: Huntress recovered a total of eight distinct malicious binaries, each with specific tasks. The primary implant, ‘Telegram 2’, was written in Nim and embedded itself as a macOS LaunchDaemon to maintain persistence. It acted as a launchpad for the real power tools, including Go-based ‘Root Troy V4’ backdoor and “CryptoBot”, a dedicated crypto stealer that hunted for wallet data across 20+ Web3 plugins.The attack’s highlight, though, is “InjectWithDyId,” a C++ loader capable of process injection on macOS, an area rarely breached at this depth, researchers added. It decrypted embedded payloads using AES-CFB and injected them into benign apps like the Swift-based “Base App.” Additionally, to avoid user detection, it wrapped commands in display sleep checks, executing only when the screen was off.Other significant payloads included XScreen, a keylogger with screen and clipboard capture capabilities, and NetChk, a decoy binary that ran infinite loops to muddy the system’s process list. Each implant was signed and disguised just enough to quietly exfiltrate data to fake Zoom, MetaMask, and crypto-themed C2 servers.To stay ahead of the threat, Barr recommended leaning into the existing technical capabilities like MDM platforms that enforce least privilege and prevent local admin access or unapproved installs, and EDR solutions that offer real-time visibility into endpoint activity and alert on suspicious behavior.”Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional, they’re essential,” he said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4009603/north-koreas-bluenoroff-uses-ai-deepfakes-to-push-mac-malware-in-fake-zoom-calls.html
