Summary:
Jamf Threat Labs has identified malware samples linked to North Korea, utilizing Flutter for obfuscation. The malware, discovered in late October, includes applications that were signed and temporarily passed Appleβs notarization. The analysis reveals complex techniques employed by the malware, which targets macOS devices.
Keypoints:
- Malware samples tied to North Korea discovered by Jamf Threat Labs.
- Malware built using Flutter, providing obfuscation to the code.
- Three variants of malware identified: Go, Python, and Flutter.
- Flutter applications serve as stage one payloads, with six infected apps found.
- Malware made network requests to the domain mbupdate[.]linkpc[.]net.
- Malware capable of executing AppleScript commands received from server responses.
- Potential testing for new weaponization methods observed.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Execution (T1203): Executes malicious code through user interaction with a malicious application.
- Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide malicious code within legitimate applications.
IoC:
- Domain: mbupdate[.]linkpc[.]net
- IP Address: 172.86.102[.]98
- Hash: 7cb8a9db65009f780d4384d5eaba7a7a5d7197c4
- Hash: 0b9b61d0fffd52e6c37df37dfdffefc0e121acf7
- Hash: ee22e7768e0f4673ab954b2dd542256749502e97
- Hash: 6f280413a40d41b8dc828250bbb8940b219940c5
Full Research: https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/