- Hackers spread NimDoor via Telegram using fake Zoom SDK update scripts targeting macOS.
- NimDoor uses AppleScript backdoors and process injection to evade detection and maintain access.
- Attackers exfiltrate browser credentials, Telegram data, and system info from compromised machines.
SentinelLabs has uncovered a sophisticated malware campaign by North Korean threat actors targeting macOS systems and cryptocurrency-related businesses. The attackers employ a malware family named NimDoor, written in the Nim programming language with advanced persistence and obfuscation methods. The infection begins with social engineering on Telegram, where attackers pose as trusted contacts and schedule fake meetings via Calendly. Victims are then directed to download a malicious AppleScript posing as a Zoom SDK update from attacker-controlled domains.
This AppleScript, disguised as a legitimate update, includes over 10,000 lines of whitespace to evade detection and scrutiny by security tools. When executed, it downloads and executes other payloads, which begin the chain of infection, and then it directs the victims to legitimate Zoom websites to evade their suspicion. One of the scripts, named tlgrm, steals Telegram’s encrypted local database and the required decryption key blob. The stolen data is exfiltrated to a remote server using a consistent upload function seen in multiple variants of the campaign.
The core infection sequence includes a C++ loader named InjectWithDyldArm64, designed to decrypt and inject binaries into suspended processes. This loader initiates the execution of two embedded payloads, labeled ‘Target’ and ‘trojan1_arm64’, which enable command execution, directory manipulation, and system reconnaissance. Trojan1_arm64 can also download further payloads designed to extract sensitive browser data and Telegram application information. Browsers such as Chrome, Firefox, Brave, Edge, and Arc are supported.
Use of AppleScript for Persistence and Command Execution
NimDoor is exploiting obfuscated AppleScripts stored in the binary, causing them to act as both beacons and backdoors simultaneously. These scripts are run every 30 seconds and each posts snapshots of the processes to one of two command-and-control servers. The servers are identified as writeup[.] live and safeup[.]store, receive the data, and respond with additional commands for the malware to execute using AppleScript. This dual-function script supports persistent communication while enabling remote code execution.
To avoid detection, the scripts use deconstructed character strings and hexadecimal-encoded values, complicating static analysis by defensive tools. One of the script files is stored locally as .ses and executed using the macOS osascript command. This file is responsible for building unique HTTP headers using timestamps and beacons, and sending them out to the C2 servers. In the stripped version of the malware, these AppleScripts have different encoded strings but retain the same operational logic.
According to SentinelLabs, the activity can be attributed to the North Korean-aligned cybercriminals in terms of TTPs and sharing commonality with other well-known APT groups, such as Kimsuky. These rogues have previously used languages like Go and Rust to develop cross-platform malware. The Nim is important due to its capability of supporting execution at compile time, making reverse engineering difficult, as the runtime and developer functions will be intertwined. This property enables the threat actors to generate complicated binaries with little understanding of what occurs inside them.
The malware campaign aligns with North Korean plans to target the Web3 and cryptocurrency sectors. The spear-phishing method of selecting victims involves impersonation and pre-planned baits that are sent via messaging services and email. Falsely prompted updates and meeting invitations, which are spoofed, are used by cybercriminals to give credence to their malware. The malware chain, once established, enables remote access, data theft, and credential harvesting, specifically targeting macOS environments.
Related: North Korea Targets Indian Crypto Professionals with Malware
ClickFix Tactics and Broader APT Activity
In parallel campaigns observed by South Korean cybersecurity firm Genians, Kimsuky has continued to use modified “ClickFix” social engineering techniques. These attacks involve spear-phishing messages whose subject lines contain requests for interview opportunities or security checks, which are distributed as Windows-based malware. The target contents comprise Visual Basic Scripts and PowerShell commands that are appended to decoy documents or CAPTCHA forms. Such techniques are deployed to sneak in malware such as BabyShark and Xeno RAT, which will grant constant access and steal data.
The supporting infrastructure of these attacks involves the use of GitHub, Dropbox, and Korean-hosted C2 servers. Personal Access Tokens that are hard-coded enable threat actors to gain access to malware delivery and the collection of stolen information in the personal repositories of GitHub. The campaigns also involved using the same infrastructure related to downloading PowerShell scripts and loading malicious LNK files, which initiated infection chains. These trends demonstrate how Kimsuky has been persistent and adaptable in its operations across various platforms and targets.
The report by SentinelLabs includes crucial indicators of compromise as well as technical details that help to improve the foundation of the cybersecurity community in the ever-growing threats of North Korea.
