Threat actors with ties to the Democratic People’s Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices.
Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python.
It’s currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses.
“We suspect these specific examples are testing,” Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. “It’s possible they haven’t been distributed yet. It’s hard to tell. But yes. The attacker’s social engineering techniques have worked very well in the past and we suspect they’d continue using these techniques.”
Jamf has not attributed the malicious activity to a specific North Korea-linked hacking group, although it said it could be likely the work of a Lazarus sub-group known as BlueNoroff. This connection stems from infrastructure overlaps with malware referred to as KANDYKORN and the Hidden Risk campaign recently highlighted by Sentinel One.
What makes the new malware stand out is the use of the application of Flutter, a cross-platform application development framework, to embed the primary payload written in Dart, while masquerading as a fully functional Minesweeper game. The app is named “New Updates in Crypto Exchange (2024-08-28).”
What’s more, the game appears to be a clone of a basic Flutter game for iOS that’s publicly available on GitHub. It’s worth pointing out that the use of game-themed lures has also been observed in conjunction with another North Korean hacking group tracked as Moonstone Sleet.
These apps have also been signed and notarized using Apple developer IDs BALTIMORE JEWISH COUNCIL, INC. (3AKYHFR584) and FAIRBANKS CURLING CLUB INC. (6W69GC943U), suggesting that the threat actors are able to bypass Apple’s notarization process. The signatures have since been revoked by Apple.
Once launched, the malware sends a network request to a remote server (“mbupdate.linkpc[.]net”) and is configured to execute AppleScript code received from the server, but not before it’s written backwards.
Jamf said it also identified variants of the malware written in Go and Python, with the latter built with Py2App. The apps – named NewEra for Stablecoins and DeFi, CeFi (Protected).app and Runner.app – are equipped with similar capabilities to run any AppleScript payload received in the server HTTP response.
The latest development is a sign that DPRK threat actors are actively developing malware using several programming languages to infiltrate cryptocurrency companies.
“Malware discovered from the actor over the past years comes in many different variants with frequently updated iterations,” Bradley said. “We suspect this in efforts to remain undetected and keep malware looking different on each release. In the case of the Dart language, we suspect it’s because the actors discovered that Flutter applications make for great obscurity due to their app architecture once compiled.”
