DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow. Author: AlienVault
Related Tags:
applescript
T1555.001
T1027.001
websocket
T1059.002
T1059.004
T1543.001
macos
T1574.002
Associated Indicators:
EE3795F6418FC0CACBE884A8EB803498C2B5776F
08AF4C21CD0A165695C756B6FDA37016197B01E7
945FCD3E08854A081C04C06EEB95AD6E0D9CDC19
C9540DEE9BDB28894332C5A74F696B4F94E4680C
BB72CA0E19A95C48A9EE4FD658958A0AE2AF44B6
023A15AC687E2D2E187D03E9976A89EF5F6C1617
A25C06E8545666D6D2A88C8DA300CF3383149D5A
1A5392102D57E9EA4DD33D3B7181D66B4D08D01D
2D746DDA85805C79B5F6EA376F97D9B2F547DA5D