North Korean cryptocurrency thieves are once again targeting macOS users with a new malware campaign that uses phishing emails, fake PDF applications, and a novel technique to evade Apple’s security measures.

According to fresh research from SentinelOne, the notorious BlueNoroff hacking team was caught sending phishing lures with fake news headlines or stories about crypto-related topics to targets at decentralized finance (DeFi) and cryptocurrency businesses.

Inside the emails, the North Korean government-backed hackers embedded a malicious macOS application disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”.

SentinelOne said the campaign, called ‘Hidden Risk’, also abuses the ‘zshenv’ configuration file to maintain persistence without triggering macOS Ventura’s background item modification notifications.

The macOS notifications are designed to alert users to changes in common persistence methods like LaunchAgents and LaunchDaemons.

According to SentinelOne documentation, the first-stage malware is a macOS application written in Swift, named identically to the embedded PDF document. The application is signed and notarized using a legitimate Apple Developer ID (since revoked) and, upon execution,downloads a decoy PDF from a Google Drive link and opens it using the default macOS PDF viewer to avoid arousing suspicion.

In tandem, SentinelOne researchers observed the malware downloading and executing a malicious x86-64 binary from a hard-coded URL. The application bypasses macOS security features by specifying exceptions in its Info.plist file to allow insecure HTTP connections, the companies said.

The company also documented the use of a second-stage backdoor that collects system information, generates a unique identifier, and establishes communication with a command-and-control (C2) server. 

SentinelOne said the backdoor is programmed to send the OS version, hardware model, and process list to the C2 server and awaits further instructions.

BlueNoroff is publicly documented as a sub-group within North Korea’s Lazarus APT operation.The group specializes in financial cybercrime, particularly targeting banks and cryptocurrency exchanges to fund the North Korean regime. 

Related: New MacOS Malware Linked to North Korean Hackers

Related: North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware

Related: North Korean APT Expands Its Attack Repertoire

Related: North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains