A sophisticated new macOS malware campaign, identified as ‘NimDoor’ by security researchers, has surfaced, specifically targeting Web3 and cryptocurrency platforms. This malware employs advanced techniques, including process injection and encrypted WebSocket communications, to steal sensitive user credentials and financial data.
Initial Attack Vector:
The attack begins with social engineering tactics. North Korean threat actors impersonate trusted contacts via Telegram to arrange fraudulent business meetings. Victims receive fake Zoom meeting invitations accompanied by instructions to download and execute a malicious Zoom SDK update script from attacker-controlled domains designed to mimic legitimate Zoom infrastructure, such as support.us05web-zoom[.]forum.
Technical Sophistication:
What sets NimDoor apart from typical macOS threats is its technical complexity and multi-layered architecture. SentinelOne analysts have identified that the malware employs a rare process injection technique on macOS. It utilizes specialized system entitlements, typically reserved for debugging tools, to inject malicious code into legitimate processes. This method allows the malware to operate with increased stealth and persistence, effectively evading traditional detection mechanisms.
The attack chain involves multiple components written in different programming languages:
– AppleScript: Used for initial access.
– C++: Employed for process injection.
– Nim: Utilized for core functionality.
This diverse technological approach demonstrates the threat actors’ commitment to developing sophisticated tools capable of compromising modern macOS systems while remaining difficult to analyze and detect.
Advanced Persistence Mechanism:
NimDoor’s most innovative feature lies in its persistence mechanism, which leverages macOS signal handling in an unprecedented way. Instead of relying on traditional persistence methods like LaunchAgents or Login Items, NimDoor implements a novel approach that monitors system signals to maintain its presence on infected machines.
The CoreKitAgent component establishes signal handlers for both SIGINT (interrupt signal) and SIGTERM (termination signal), effectively intercepting attempts to terminate the malware process. When a user or system attempts to kill the malware through standard methods, these signal handlers trigger instead of allowing the process to terminate.
The malware then uses this interruption as an opportunity to reinstall itself, writing a LaunchAgent to ~/Library/LaunchAgents/com.google.update.plist and copying its components to ensure persistence across system reboots.
This signal-based persistence mechanism operates through the following code implementation:
“`c
posix_spawnattr_init(&attrp) && !posix_spawnattr_setflags(&attrp, POSIX_SPAWN_START_SUSPENDED);
posix_spawn(&pid, filename, 0, &attrp, argv_1, environ);
kill(pid, SIGCONT);
“`
Encrypted Communication and Data Exfiltration:
NimDoor communicates with its command and control (C2) infrastructure using the WebSocket Secure (wss) protocol at wss://firstfromsep[.]online/client. It employs multiple layers of RC4 encryption combined with base64 encoding. This encrypted communication channel enables the malware to exfiltrate stolen Keychain credentials, browser data from major applications including Chrome and Firefox, and Telegram chat histories while maintaining operational security against network monitoring tools.
Implications and Recommendations:
The emergence of NimDoor underscores the evolving threat landscape targeting macOS systems, particularly within the cryptocurrency sector. Its sophisticated techniques highlight the need for enhanced security measures and user vigilance.
Recommendations for Users:
1. Exercise Caution with Unsolicited Communications: Be wary of unexpected messages or meeting invitations, especially those requesting software downloads or updates.
2. Verify Software Sources: Always download software from official and trusted sources.
3. Keep Systems Updated: Regularly update your operating system and applications to patch known vulnerabilities.
4. Implement Robust Security Solutions: Utilize comprehensive security software capable of detecting and mitigating advanced threats.
5. Monitor System Behavior: Be alert to unusual system behavior, such as unexpected prompts for credentials or system slowdowns.
By adopting these practices, users can enhance their defense against sophisticated malware campaigns like NimDoor.
