Keypoints
- The campaign, dubbed “Hidden Risk,” targets cryptocurrency businesses with phishing emails linking to a malicious macOS application disguised as a PDF.
- Stage 1 is a signed, notarized macOS app dropper that displays a decoy PDF and downloads a second-stage binary from a hard-coded URL.
- Stage 2 is an x86-64 Mach-O backdoor named “growth” that gathers host information, polls a C2 via HTTP POST, and can save and execute commands returned by the server.
- Persistence is implemented by writing a malicious ~/.zshenv file so the backdoor runs in every Zsh session without triggering macOS background Login Item notifications.
- Infrastructure analysis links domains and IPs used in this campaign to previous BlueNoroff activity (RustBucket/ThiefBucket, RustDoor, KandyKorn), strengthening attribution to DPRK actors.
- The actors abused legitimate services and measures (notarized app, email marketing tools, domain registrations) to improve lure delivery and bypass defenses.
- SentinelLabs provides file hashes, IPs, and a long domain list as Indicators of Compromise for detection and hunting.
MITRE Techniques
- [T1566.001] Spearphishing Link – Phishing emails contained links to a malicious application disguised as a PDF to initiate infection. (‘Initial infection is achieved via phishing email containing a link to a malicious application.’)
- [T1204.002] User Execution: Malicious File – Victims launch a macOS app that imitates a PDF viewer to drop further payloads. (‘The first stage is a Mac application written in Swift displaying the same name as the expected PDF, “Hidden Risk Behind New Surge of Bitcoin Price.app”.’)
- [T1105] Ingress Tool Transfer – The Stage 1 dropper downloads and executes a second-stage Mach-O binary from an actor-controlled domain. (‘The malware then downloads and executes a malicious x86-64 binary sourced from matuaner[.]com via a URL hard-coded into the Stage 1 binary.’)
- [T1547] Boot or Logon Autostart Execution – Persistence is achieved by installing a malicious ~/.zshenv so code runs for all Zsh sessions. (‘Zshenv … is sourced for all Zsh sessions, including interactive and non-interactive shells, non-login shells and scripts.’)
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Remote commands are written to a hidden file and executed via popen/chmod, enabling arbitrary command execution. (‘it creates a random file name … writes the received command as a hidden file to /Users/Shared/.%s … and finally executes it via popen.’)
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – The backdoor communicates with C2 servers using HTTP POST requests built with libcurl. (‘The DoPost function constructs and sends the http request’)
- [T1082] System Information Discovery – The backdoor collects environment and system details (sw_vers, sysctl hw.model, ps aux) and reports them to C2. (‘Runs several commands to gather environmental information from the host … sw_vers ProductVersion, sysctl hw.model …’)
Indicators of Compromise
- [SHA1 hashes] sample files – 3f17c5a7d1e7fd138163d8039e614b8a967a56cb (dropper .app), 7e07765bf8ee2d0b2233039623016d6dfb610a6d (growth backdoor), and 3 more hashes.
- [IP addresses] C2 / infrastructure – 45.61.135[.]105, 172.86.108[.]47, and other listed IPs (e.g., 23.254.253[.]75, 45.61.128[.]122, etc.).
- [Domains] delivery and C2 hosts – delphidigital[.]org (lure hosting/benign document), matuaner[.]com (stage 1 download), and many other domains used for phishing and infrastructure.
- [File names / paths] malicious artifacts – “Hidden Risk Behind New Surge of Bitcoin Price.app” (stage 1 dropper), “growth” (stage 2 backdoor binary), and ~/.zshenv (malicious persistence file).
————
SentinelLabs uncovered the “Hidden Risk” campaign, where a suspected DPRK-linked group (BlueNoroff) used unsophisticated phishing e-mails with fake cryptocurrency PDFs to deliver a notarized macOS dropper. The dropper displays a decoy PDF while fetching a second-stage x86-64 backdoor called “growth” that gathers host information, polls a command-and-control server, and can save and execute commands returned by the C2.
The campaign’s standout technique is persistence via a malicious ~/.zshenv file, which is sourced for every Zsh session and avoids macOS background login-item notifications, making it stealthier than LaunchAgents. Infrastructure and artifact overlaps (unique User-Agent, domain registration patterns, shared IPs) link this activity to prior BlueNoroff operations (RustBucket, ThiefBucket, KandyKorn), suggesting a continued focus on cryptocurrency targets. Defenders should hunt for the listed hashes, domains, IPs, and suspicious ~/.zshenv modifications and harden macOS endpoints against notarized-but-malicious apps and shell-startup persistence.
————