The hackers have been using fake recruiter profiles on online platforms to engage in conversations with the victims and to invite them to technical interviews.During the fake interviews, the victims have been asked to install malware masquerading as a video conferencing tool or software developer kit (SDK) update.The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands.As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation.The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
During the fake interviews, the victims have been asked to install malware masquerading as a video conferencing tool or software developer kit (SDK) update.The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands.As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation.The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands.As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation.The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation.The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
Related:North Korean Hackers Take Over Victims’ Systems Using Zoom MeetingRelated:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
Related:$290 Million Kelp DAO Crypto Heist Blamed on North KoreaRelated:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
Related:Two North Korean IT Worker Scheme Facilitators Jailed in the USRelated:North Korean Hackers Target High-Profile Node.js Maintainers
Related:North Korean Hackers Target High-Profile Node.js Maintainers
Ionut Arghire is an international correspondent for SecurityWeek.
Source: SecurityWeek
