Threat actors linked to North Korea are targeting Web3 and cryptocurrency sectors with malware named NimDoor, developed in the Nim programming language. Their tactics include a sophisticated process injection technique and utilizing the TLS-encrypted WebSocket protocol for remote communication. A unique persistence mechanism employs SIGINT/SIGTERM signal handlers, ensuring the malware remains active across reboots. The attack chain involves social engineering tactics via messaging platforms to facilitate malware delivery through a Zoom SDK update script, leading to information theft through embedded binaries.
"Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol."
"A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted."
Collection
[
|
...
]