North Korean threat actors are exploiting Apple macOS systems by deploying trojanized Notepad applications and minesweeper games developed with Flutter. These applications are signed and notarized using a legitimate Apple developer ID, allowing them to temporarily circumvent Apple’s security protocols. As a result, macOS systems recognize these malicious applications as verified and permit their execution without any restrictions.
The names of these applications are predominantly focused on cryptocurrency themes, reflecting the interests of North Korean hackers in financial theft. According to findings from Jamf Threat Labs, which identified this activity, the campaign seems to function more as an experiment aimed at bypassing macOS security rather than a comprehensive and highly targeted operation.
Notarized apps connecting to DPRK servers
Beginning in November 2024, Jamf identified several applications on VirusTotal that appeared entirely benign to all antivirus scans, yet exhibited “stage one” functionality by connecting to servers linked to North Korean actors.
These applications were developed for macOS utilizing Google’s Flutter framework, which allows developers to create natively compiled applications for various operating systems from a single codebase written in the Dart programming language.
“It is not uncommon for threat actors to incorporate malware within a Flutter-based application; however, this marks the first instance we have observed of this particular attacker targeting macOS devices,” stated Jamf researchers Ferdous Saljooki and Jaron Bradley.
This method not only provides malware creators with flexibility but also complicates the detection of malicious code, as it is integrated within a dynamic library (dylib) that the Flutter engine loads during runtime. Upon conducting a detailed examination of one of the Flutter-based applications, titled ‘New Updates in Crypto Exchange (2024-08-28).app’, Jamf found that the obfuscated code within the dylib facilitated the execution of AppleScript, allowing it to run scripts received from a command and control (C2) server.
The application launches a Minesweeper game for macOS, the source code of which is publicly accessible on GitHub. Notably, five out of the six malicious applications identified by Jamf were signed with a legitimate developer ID, and the malware had successfully passed Apple’s notarization process, indicating that the applications were scanned by Apple’s automated systems and classified as safe.
Jamf has identified variants based on Golang and Python, referred to as ‘New Era for Stablecoins and DeFi, CeFi (Protected).app’ and ‘Runner.app,’ the latter of which is presented as a basic Notepad application. Both applications initiated network requests to a domain associated with the DPRK, ‘mbupdate.linkpc[.]net,’ and included capabilities for script execution.
Apple has subsequently revoked the signatures of the applications discovered by Jamf, preventing them from circumventing Gatekeeper protections on updated macOS systems. Nevertheless, it remains uncertain whether these applications were utilized in actual operations or merely employed in “in-the-wild” testing to assess methods for evading security software. The existence of multiple variants of the same foundational applications lends credence to this hypothesis; however, the precise details of this operation are still unknown.