New macOS malware targets crypto and Web3 startups with fake Zoom update

4 days ago 2

Authy hack | Low-key photo of MacBook keyboard

North Korean hackers are behind a new and unusually sophisticated macOS malware campaign that targets the crypto industry using fake Zoom invites. Here’s how it works.

Dubbed “NimDoor” by researchers at SentinelLabs, the attack is more sophisticated than the typical macOS threat, and it chains together AppleScript, Bash, C++, and Nim to exfiltrate data and maintain access in compromised systems.

Here’s SentinelLabs’ executive summary of the hack:

DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.
Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
The threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors.
Bash scripts are used to exfiltrate Keychain credentials, browser data and Telegram user data.
SentinelLABS’ analysis highlights novel TTPs and malware artifacts that tie together previously reported components, extending our understanding of the threat actors’ evolving playbook.

How it actually works, in a nutshell

Through social engineering, victims are approached via Telegram by someone impersonating a trusted contact. They’re asked to schedule a call through Calendly, then sent a follow-up email containing a fake Zoom link and instructions to run a bogus “Zoom SDK update.” SentinelLabs says that the file “is heavily padded, containing 10,000 lines of whitespace to obfuscate its true function.”

When executed, it triggers an intricate series of events that establish an encrypted connection with a command-and-control server. It also includes backup logic that reinstalls key components if the system is rebooted or the malware process is terminated.

Once all the hack’s binaries and persistence mechanisms are in place, the malware uses Bash scripts to scrape and exfiltrate credentials and sensitive data. That includes Keychain credentials, browser data, and Telegram data.

The full technical deep dive is well worth a look

If you want to dive deeper into the nitty gritty of how the hack works, the SentinelLabs report includes full hash listings, code snippets, screenshots and attack flow diagrams, along with a much more detailed breakdown of each stage, from the fake Zoom update to the final data exfiltration.

The researchers also note that NimDoor reflects a broader shift toward more complex and less familiar cross-platform languages in macOS malware, moving beyond the Go, Python, and shell scripts that North Korean threat actors have typically used in the past.

Does this sort of hack scare you? Do you think these hacks get blown out of proportion? Let us know in the comments.