Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   NimDoor crypto-theft macOS malware revives itself when killed (http://txgate.io:443/showthread.php?t=51301700)

Artifact 07-16-2025 08:59 AM
<div id="post_message_800925">

North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.<br/>
<br/>
Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.<br/>
<br/>
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently <a href="https://www.bleepingcomputer.com/news/security/north-korean-hackers-deepfake-execs-in-zoom-call-to-spread-mac-malware/" target="_blank">linked to BlueNoroff</a>.<br/>
<br/>
<b><font size="4"><font color="White">Advanced macOS malware</font></font></b><br/>
<br/>
In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice."<br/>
<br/>
One of the Nim-compiled binaries, '<i>installer</i>', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - '<i>GoogIe LLC,' 'CoreKitAgent</i>', onto the victim's system.<br/>
<br/>
GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.<br/>
<br/>
The most advanced componentused in the attack is <i>CoreKitAgent</i>, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution.<br/>
<br/>
It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions.<br/>
<br/>
The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/handlers.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Registering custom signal handlers for SIGINT and SIGTERM. Source: SentinelLABS

</td>
</tr>
</table>
</div>These are signals typically used to terminate processes, but when either is caught, CoreKitAgent triggers a reinstallation routine that re-deploys GoogIe LLC, restoring the persistence chain.<br/>
<br/>
"When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan, setting executable permissions on the latter two via the addExecutionPermissions_user95startup95mainZutils_ u32 function,"<a href="https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/" target="_blank"> explains SentinelLABS</a>.<br/>
<br/>
"This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."<br/>
<br/>
"This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/what.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Writing the malware components back to disk when the process is terminated. Source: SentinelLABS

</td>
</tr>
</table>
</div>CoreKitAgent decodes and runs a hex-encoded AppleScript that beacons to attacker infrastructure every 30 seconds, exfiltrates system data, and executes remote commands via osascript, providing a lightweight backdoor.<br/>
<br/>
Parallel to the NimDoor execution, 'zoom_sdk_support.scpt' triggers a second injection chain involving '<i>trojan1_arm64</i>', which initiates WSS-based C2 communications and downloads two scripts (<i>upl</i> and <i>tlgrm</i>) that facilitate data theft.<br/>
<br/>
In the case of the '<i>zoom_sdk_support.scpt</i>' loader, the researchers noticed that it includes more than 10,000 blank lines for obfuscation purposes.<br/>
<br/>
Upl extracts data from web browsers and grabs Keychain, .bash_history, and .<i>zsh_history</i>, and exfiltrates it using curl to dataupload[.]store.<br/>
<br/>
Tlgrm focuses on stealing the Telegram database along with .tempkeyEncrypted, likely using those to decrypt messages the target exchanged on the platform.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/tlgrm.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

The tlgrm script targeting Telegram data. Source: SentinelLABS

</td>
</tr>
</table>
</div>Overall, the NimDoor framework and the rest of the backdoors SentinelLABS analyzed are soome of the most complex macOS malware families linked to North Korean threat actors.<br/>
<br/>
The malware's modularity, which gives it flexibility, and the use of novel techniques like signal-based persistence indicate that DPRK operators evolve their toolkit to extend their cross-platform capabilities.<br/>
<br/>
SentinelLABS' report includes indicators of compromise for the domains, file paths, scripts, and binaries the North Korean threat actor used in attacks aimed at stealing cryptocurrency assets and sensitive information.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 03:03 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.