BlueNoroff Launches New Campaign Targeting Mac Users with Fake Crypto News
North Korean threat actors associated with BlueNoroff have been observed targeting cryptocurrency-related businesses with innovative malware. The campaign, known as Hidden Risk, utilizes phishing emails containing fake crypto news to infect Mac users.
The attackers employ email and PDF lures with headlines such as “Hidden Risk Behind New Surge of Bitcoin Price” to trick recipients into clicking on malicious links. Once clicked, a dropper application is downloaded onto the victim’s device, initiating the malware infection process.
Unlike previous campaigns, Hidden Risk does not personalize email content based on the recipient’s information. Instead, it impersonates well-known crypto influencers to gain trust. The sender domain, kalpadvisory[.]com, has a history of spamming in the Indian stock market community.
Despite the simplistic nature of the phishing emails, the malware used in the Hidden Risk campaign shows similarities to earlier DPRK-backed attacks. The threat actors seem able to obtain legitimate Apple developer accounts to notarize their malware, bypassing macOS security measures.
In the past year, North Korean cyber actors have targeted various crypto industries through social media grooming. With Hidden Risk, they shift to a more direct email phishing approach. Although their tactics evolve, the underlying threat remains consistent.
As macOS crimeware continues to rise, all users, especially those in organizational settings, should enhance their security measures. Awareness of potential risks is crucial in safeguarding against sophisticated cyber threats like those posed by BlueNoroff.