SentinelLabs has posted a report about a new malware that targets Mac users of blockchain technologies, such as crypto. The threat agents behind the attack are based in North Korea, according to research by Huntabil.IT, as cited by SentinelLabs.
The attack involves executable scripts written in AppleScript, C++, and Nim. Targeted users are sent a meeting invitation via Calendly, a cloud-based B2B scheduling service. The contact is made over Telegram as the attacker impersonates a trusted contact of the target. The invitation includes what appears as a link for a “Zoom SDK update script” but is actually a link to download and install the malware.
Once installed, the malware collects “general system data,” browser data, and Telegram chat histories. It collects user data such as the login information of the Mac, the version of macOS being used, and passwords in macOS’s Keychain. SentinelLabs also reports that it targets data from Arc, Brave, Firefox, Google Chrome, and Microsoft Edge; Safari was not listed.
How to protect yourself from malware
Given the nature of the attack reported by SentinelLabs–Mac users of blockchain technologies who employ Calendly and Telegram–it seems as though most Mac users are not targets. However, the report points out that the use of Nim-based software in conjunction with AppleScript is a relatively new development. This combination helps the malware avoid detection and could be eventually used in a wider attack.
The easiest way to protect yourself as an individual user from malware is to avoid downloading software from repositories such as GitHub and other download sites. Apple has vetted software in the Mac App Store, and is the safest way to get apps. If you prefer not to patronize the Mac App Store, then buy software directly from the developer and their website. If you insist on using cracked software, you will always risk malware exposure.
Never open links in emails or texts you receive from unknown and unexpected sources. If you get a message that looks like it is from an entity that you do business with, check the sender’s email address and inspect the URL carefully. If you see a link or button, you can Control-click it, select Copy Link, and then paste it into a text editor to see the actual URL and check it.
Apple releases security patches through OS updates, so installing them as soon as possible is important. Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.
