Hackers Target MacOS With Malware-Embedded Flutter Applications

In a novel strategy, North Korean cyber threat actors have begun embedding malware within applications built using Flutter, a popular cross-platform framework. This marks the first time adversaries have used Flutter-based apps to compromise Apple macOS devices. According to Jamf Threat Labs, the Flutter-built applications are part of a broader range of malicious software including samples written in Golang and Python. This campaign points to North Korea's evolving tactics in targeting cryptocurrency and decentralized finance (DeFi) businesses.

Understanding the Tactics

The recent discovery came to light after samples of the malware were uploaded to the VirusTotal platform. While details remain scarce on how these samples are distributed, Jamf Threat Labs director Jaron Bradley shared insights on the situation: “We suspect these specific examples are testing. It’s possible they haven’t been distributed yet.” This could indicate that the North Korean threat actors, known for deploying sophisticated social engineering tactics, may be experimenting with new methods to achieve their objectives.

The malware primarily targets macOS users by disguising itself as legitimate software. The malicious app, titled "New Updates in Crypto Exchange (2024-08-28)," mimics a fully functional game, utilizing Flutter’s cross-platform framework to embed the primary payload written in Dart, Flutter’s programming language. The application is styled as a clone of an open-source Flutter game for iOS, specifically a Minesweeper game found on GitHub. This game-themed lure aligns with previously observed strategies by North Korean hacking groups like Moonstone Sleet, who have also used game-related themes to deceive victims.

Who is Behind This Campaign?

Jamf has not explicitly attributed this activity to a particular North Korean hacking group, though it could likely be linked to BlueNoroff, a sub-group of the Lazarus Group. This assessment is based on overlaps in infrastructure with previously identified malware campaigns, such as KANDYKORN and SentinelOne’s recent "Hidden Risk" campaign. BlueNoroff is known for its financial cyberattacks and cryptocurrency-targeting malware, often focusing on exploiting cryptocurrency businesses through various infiltration techniques, including social engineering.

Advanced Techniques in Obfuscation

The malware’s use of Flutter offers multiple advantages to the threat actors:

• Cross-Platform Capabilities: Flutter applications can run on iOS, Android, macOS, and even web platforms. By leveraging Flutter, the threat actors simplify their work in targeting multiple platforms simultaneously.

• Enhanced Obfuscation: Flutter applications, once compiled, feature a complex architecture, making it harder to detect and analyze the malware’s core functions.

• Apple Notarization Evasion: The app was signed and notarized using Apple developer IDs belonging to legitimate organizations, including BALTIMORE JEWISH COUNCIL, INC. and FAIRBANKS CURLING CLUB INC. This notarization bypasses Apple’s security measures, allowing the malware to pass undetected. Apple has since revoked these certificates, though the sophistication required to secure and exploit valid Apple IDs is significant.

How the Malware Operates

Upon installation, the malicious app connects to a remote server, “mbupdate.linkpc[.]net,” where it receives instructions to execute AppleScript code. Interestingly, the code is written backward, adding a layer of obfuscation and making detection more challenging. Once the malware establishes a connection, it can execute any command sent by the remote server, potentially giving attackers complete control over the infected device.

Jamf’s analysis also identified similar malware samples written in Go and Python. These samples include apps like “NewEra for Stablecoins and DeFi,” “CeFi (Protected).app,” and “Runner.app,” which are capable of running AppleScript payloads sent from the server in the HTTP response.

Who is at Risk?

The primary targets of this malware campaign are organizations and individuals in the cryptocurrency and DeFi sectors. North Korean threat actors have historically pursued financial gain through cryptocurrency theft and are known for targeting employees within the cryptocurrency space. These attacks pose a substantial risk to:

• Cryptocurrency Exchanges: Exchanges that manage large amounts of digital assets are high-value targets for threat actors looking to steal funds.

• DeFi and Crypto Professionals: Individuals who work within the cryptocurrency sector, particularly those with high-level access to sensitive information, are at heightened risk.

• MacOS Users in Financial Sectors: Since the malware targets macOS, cryptocurrency professionals using Apple devices are especially vulnerable to this type of attack.

How to Protect Yourself

1. Update Regularly: Ensure that your macOS is up-to-date. Apple frequently releases security patches that address vulnerabilities which attackers often exploit.

2. Verify Applications: Only download software from trusted sources like the App Store or verified vendor sites. Be wary of applications that request excessive permissions or appear out of context, even if they seem relevant to your field.

3. Use Security Software: Installing reputable antivirus or endpoint protection software can help detect and prevent malware from compromising your device.

4. Educate and Train Staff: Security awareness training is essential, especially for individuals in the cryptocurrency sector. Ensure that employees are well-informed about phishing and social engineering tactics used by sophisticated actors like BlueNoroff.

5. Monitor System Behavior: If you notice unusual device behavior, such as unexpected app installations, high CPU usage, or unprompted network activity, it may indicate malware presence. Taking immediate action, like disconnecting from the internet and scanning for malware, is advisable.

Broader Implications and Industry Response

The use of Flutter to embed malware on macOS is an innovative approach that poses unique challenges for security teams. Jamf’s findings show that North Korean threat actors continue to experiment with different programming languages to evade detection and infiltrate cryptocurrency companies. This tactic not only complicates the detection process but underscores the need for heightened vigilance within the financial tech industry.

The incident also brings attention to Apple’s app notarization process, which threat actors have managed to bypass using legitimate Apple developer IDs. While Apple has revoked the offending certificates, this event highlights the potential for abuse within the developer ecosystem.

Conclusion

The tactics used in this campaign illustrate how state-sponsored actors continually evolve and leverage advanced social engineering and coding techniques to target high-value sectors. The use of cross-platform tools like Flutter to distribute malware represents a new frontier in cyber threats, pushing organizations to stay ahead by maintaining robust security measures, regular staff training, and vigilant monitoring. For companies and professionals in cryptocurrency and DeFi, heightened awareness and a proactive approach to cybersecurity are critical in defending against this type of targeted threat.