HQ/EMEAFind out how we can help your business
North Korean hackers are using its new Flutter apps and malicious Notepad programs to target Apple macOS. Reports revealed that these applications are certified and notarised by a valid Apple developer ID.
This detail indicates that the malicious apps, even if only temporarily, pass Apple’s security tests, so macOS computers classify them as verified and allow them to run without restrictions. Moreover, the app titles are based on cryptocurrency themes, consistent with North Korean hackers’ focus on money crime.
The newly discovered Flutter apps are connected to North Korean-controlled servers.
According to investigations, the Flutter app emerged earlier this month and is a seemingly harmless app that bypasses AV scans.
Additionally, the attackers developed all apps for macOS using Google’s Flutter framework, which allows developers to construct natively compiled applications for various OS from a single codebase coded in the Dart programming language.
The researchers also noted that it is not uncommon for actors to embed malware into a Flutter-based application, but this is the first time we’ve seen an attacker use it to target macOS machines.
This method provides malware authors more flexibility and makes malicious code more difficult to detect because it is embedded in a dynamic library loaded by the Flutter engine at runtime.
Furthermore, the researchers also uncovered that the software launched a Minesweeper game for macOS. Five of the six malicious programs signed with a legitimate developer ID, and the malware had passed notarisation.
This detail indicates that Apple’s automated systems had examined the apps and classified them as safe. Further research also revealed a Golang and Python-based variant of Stablecoins and DeFi, CeFi (Protected).app’ and ‘Runner.app,’ with the latter appearing as a simple Notepad application.vBoth sent network requests to a known DPRK-linked domain and had script execution capabilities.
On the other hand, Apple has already revoked the signatures of the programs that the researchers identified, ensuring they would not overcome Gatekeeper defences if installed on the latest macOS system.
The legitimacy of the alleged DPRK malicious apps has yet to be verified as they are not known to be used in the current digital landscape.
