Threat Research

Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign

LevelBlue-spiderlabs
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
Sapphire Sleet, a North Korean state-sponsored group also tracked as BlueNoroff/UNC1069, ran a multi-stage macOS intrusion campaign against venture capital, Web3, and cryptocurrency targets using a fake Zoom SDK update and native Apple components to evade security controls. The operation harvested passwords, abused TCC.db for unauthorized automation access, established persistence through LaunchDaemons, and stole wallets, SSH keys, Telegram data, and Apple Notes content while using infrastructure tied to multiple domains, IPs, and staged payloads. #SapphireSleet #BlueNoroff #UNC1069 #ZoomSDKUpdate #TCCdb #LaunchDaemons

Keypoints

  • Sapphire Sleet targeted macOS systems in high-value financial sectors, especially venture capital firms, Web3 developers, and cryptocurrency organizations.
  • The campaign used social engineering through LinkedIn, Telegram, email, and other professional channels to push a fake Zoom SDK update component.
  • Malicious logic in the AppleScript was hidden with extensive whitespace padding and executed through a chain of Script Editor, osascript, curl, and shell.
  • A fake systemupdate.app displayed a native-looking password prompt to steal the victim’s login credentials.
  • The malware abused Finder and the TCC.db privacy database to silently grant full automation access to osascript and bypass macOS security prompts.
  • Persistence was achieved with a LaunchDaemon plist that loaded the icloudz backdoor and reflectively injected the com.google.chromes.updaters beacon into memory.
  • Data theft focused on cryptocurrency wallets, browser extension storage, Telegram session profiles, SSH keys, and unencrypted Apple Notes, with staged archives uploaded to remote infrastructure.

MITRE Techniques

  • [T1566.004 ] Phishing: Spearphishing Voice/Video – Victims were lured into a fake meeting setup and told to run a Zoom-related update before the call (‘the attacker contacts the victim … schedules a video meeting … execute a fake Zoom SDK update component’).
  • [T1204.002 ] User Execution: Malicious File – The victim had to manually run the malicious AppleScript update file, enabling the intrusion (‘the user-assisted execution runs the compiled AppleScript file’).
  • [T1059.002 ] Command and Scripting Interpreter: AppleScript – The initial payload was a compiled AppleScript file opened in Script Editor and used to drive the attack (‘Script Editor → osascript → curl → shell’).
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The script chained into shell execution to continue payload delivery (‘Script Editor → osascript → curl → shell’).
  • [T1105 ] Ingress Tool Transfer – curl was used to fetch follow-on payloads and tools from remote infrastructure (‘curl … leading to follow-on payload delivery’).
  • [T1036 ] Masquerading – The malware pretended to be a legitimate Zoom SDK update and used fake system application names (‘fake Zoom SDK update component’, ‘a fake application named systemupdate.app’).
  • [T1555 ] Credentials from Password Stores – A fake password popup was used to harvest the user’s login password (‘Mac Password Popup’).
  • [T1112 ] Modify Registry / TCC Database – Finder was abused to overwrite TCC.db and grant automation permissions (‘copy, manipulate via sqlite3, and overwrite the central system privacy database (TCC.db)’).
  • [T1547.009 ] Boot or Logon Autostart Execution: LaunchDaemon – Persistence was established with a LaunchDaemon plist in /Library/LaunchDaemons (‘dropped into /Library/LaunchDaemons/com.google.webkit.service.plist’).
  • [T1055 ] Process Injection – The beacon was reflectively loaded into memory using a native system function (‘reflectively load the core beacon agent … directly into memory’).
  • [T1074 ] Data Staged – Collected files were archived into zip files in /tmp before upload (‘archives into .zip files within the /tmp/ directory’).
  • [T1041 ] Exfiltration Over C2 Channel – Staged archives were uploaded to remote infrastructure over curl and dedicated ports (‘uploaded via nohup curl to remote port 8443’).

Indicators of Compromise

  • [SHA-256 ] Malicious AppleScript, profiling tool, persistence component, beacon, and password-harvester binaries – 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419, 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53, and other 5 hashes
  • [Domain ] C2 and staging infrastructure used for check-ins and exfiltration – check02id[.]com, uw04webzoom[.]us, and other 7 domains
  • [IP Address ] Remote command-and-control and exfiltration endpoints – 83.136.208[.]246, 104.145.210[.]107, and other 3 IPs
  • [File Name ] Malware and persistence filenames used on macOS hosts – Zoom SDK Update.scpt, com.google.webkit.service.plist, and other 4 file names
  • [File Path ] Staging, persistence, and forensic locations on disk – /private/tmp/SystemUpdate/, /Library/LaunchDaemons/com.google.webkit.service.plist, and other 2 paths
  • [Port ] Network ports associated with Telegram API, beacons, staging, and exfiltration – 443, 8443, and other 2 ports

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint