NimDoor is a sophisticated MacOS malware used by North Korean threat actors, likely Stardust Chollima, targeting cryptocurrency and Web3 organizations through advanced technical methods and social engineering. The malware employs unique persistence mechanisms, process injection, and encrypted communications to steal sensitive credentials and data. #NimDoor #StardustChollima #MacOSMalware #Cryptocurrency
Keypoints
- NimDoor is a MacOS malware campaign linked to North Korea’s Stardust Chollima group, targeting Web3 and cryptocurrency entities.
- The malware uses Nim and C++ binaries, AppleScript, and social engineering tactics such as fake Zoom SDK updates to initiate infection.
- It features a novel persistence technique using SIGINT/SIGTERM signal handlers to reinstall itself if terminated or after reboot.
- Encrypted TLS WebSocket communications enable stealthy command-and-control and data exfiltration.
- Bash scripts are used to steal Keychain credentials, browser data from multiple browsers, and Telegram user information.
- The campaign leverages impersonation via Telegram and Calendly to lure victims into executing malicious scripts.
- Stardust Chollima operates as a financially motivated North Korean group, known for sophisticated social engineering and targeting cryptocurrency sectors.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: AppleScript – ‘malicious AppleScript disguised as a “Zoom SDK update”’ used to initiate infection.
- [T1047] Windows Management Instrumentation – ‘Bash scripts steal Keychain credentials and browser data’ indicating scripting for data theft.
- [T1055] Process Injection – ‘The malware employs process injection, rare on MacOS, to evade detection.’
- [T1071.001] Application Layer Protocol: WebSocket – ‘Communicates via TLS-encrypted WebSocket (wss) for stealthy command-and-control.’
- [T1547.001] Boot or Logon Autostart Execution: Launch Agent – ‘Installer deploys “GoogIe LLC” and “CoreKitAgent” ensuring persistence via a LaunchAgent.’
- [T1543.003] Create or Modify System Process: Systemd Service – ‘A novel SIGINT/SIGTERM signal handler ensures persistence, reinstalling malware upon termination or reboot.’
- [T1086] PowerShell (analogous to Bash scripts here) – ‘Bash scripts exfiltrate Keychain credentials, browser data, and Telegram databases.’
- [T1189] Drive-by Compromise – ‘Social engineering via fake Zoom updates and impersonation on Telegram used to lure victims.’
Indicators of Compromise
- [File Hashes] Multiple NimDoor malware samples – bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc, 0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df, and 10 more hashes.
- [File Names] Malicious AppleScript disguised as “Zoom SDK update” and files named “GoogIe LLC” and “CoreKitAgent” used for persistence.
- [Domains] Hardcoded command-and-control servers receiving beacons every 30 seconds (names not specified).