North Korean hackers are targeting Mac users with malware infected apps that use sophisticated code to evade typical Mac security checks.
Jamf Threat Labs researchers found malware hidden in the apps that is disguised as harmless code at first glance. The hackers are using Google’s popular app-building tool Flutter to create the malicious apps.
Flutter is a popular development tool with tool among those looking to develop apps that can be built a single time but work across the macOS, iOS, and Android platforms.
The bad actors are taking advantage of a feature in Flutter, which bundles the app’s main code into a “dylib” file, which is a dynamic library later loaded by Flutter’s engine.
While this makes things easier for developers, it also obscures the code, making it easier to get malicious code past standard security checks.
Due to the complex nature in which Flutter compiles its applications, this dylib is not listed as a shared Library within the primary machO file. While there is nothing inherently malicious about this app architecture, it just happens to provide a good avenue of obfuscation by design.
Jamf Threat Labs says its researchers found three different versions of the malware. Each version is tailored to one of three programming environments: Flutter, Go, and Python. All three were designed to contact external servers, believed to be under North Korean control, executing malicious commands.
One Flutter-based bit of malware appeared to be an innocuous game, luring users to installing and playing the game. Unfortunately, the game included code designed to connect to a domain that has been linked to North Korean cyber attackers.
Another variant of the malicious code appeared to be a notepad app, which also connected to the North Korean-controlled domain, downloading and executing malicious AppleScripts allowing hackers to remotely control the target’s Mac.
Jamf Threat Labs says there is no indication that the apps have been used to attack Macs out in the wild, as the malware appears to be in a testing phase.
To protect themselves against attacks like these, macOS users should keep their machine’s operating system and apps updated on a regular basis. Also, download and install cryptocurrency apps with great caution, as cryptocurrency traders are favorite targets of North Korean hackers.
Mac users should also stick to downloading and installing apps from the official Mac App Store, which has a screen process for submitted apps.
