A sophisticated cyber campaign is currently targeting macOS users, employing deceptive software update prompts to steal sensitive information, including passwords and cryptocurrency wallet data. This operation is attributed to Sapphire Sleet, a North Korean state-sponsored threat actor active since at least March 2020, known for focusing on individuals and organizations within the cryptocurrency, venture capital, and blockchain sectors.
The attack initiates through social engineering tactics. Victims are contacted via social media or professional networking platforms by individuals posing as job recruiters. After establishing communication, the target is persuaded to download a file disguised as a Zoom SDK update. Upon opening, this file launches in macOS’s legitimate Script Editor application, which then executes additional malicious code in the background, all while presenting a seemingly normal software installation process to the user.
Once the malicious script is executed, it deploys a counterfeit application named ‘systemupdate.app.’ This app displays a password prompt that is virtually identical to a genuine macOS system dialog, requesting the user’s credentials to complete the software update. Unsuspecting users who enter their passwords unknowingly provide them directly to the attackers. The malware verifies the entered credentials against the local macOS authentication database and, if valid, transmits them to the attackers via the Telegram messaging service.
Following the credential theft, a second fake application, ‘softwareupdate.app,’ presents a convincing update-completion dialog to avoid raising suspicion. Concurrently, the malware collects cryptocurrency wallet information and other sensitive data from the victim’s system.
Microsoft’s security analysts have identified this campaign and reported their findings to Apple. In response, Apple has implemented platform-level protections, including updates to XProtect signatures and Safari Safe Browsing, to detect and block infrastructure associated with this campaign. macOS users are strongly advised to keep their systems updated to benefit from these security measures.
This incident underscores the evolving nature of cyber threats targeting macOS users. While macOS has traditionally been perceived as more secure, attackers are increasingly developing sophisticated methods to exploit user trust and system functionalities. Users should exercise caution when receiving unsolicited communications, especially those involving software updates or job opportunities, and verify the authenticity of such requests through official channels.
