Security researchers have discovered new macOS malware that apparently comes from a North Korean hacking group out to target cryptocurrency-related businesses, reports PC Mag.
“Hidden Risk” malware arrives through phishing emails packed with fake news headlines and doctored articles about cryptocurrency-related topics, according to researchers at cybersecurity vendor SentinelOne.
On launch, the application downloads the decoy “Hidden Risk” pdf file from a Google Drive share and opens it using the default macOS PDF viewer (typically the Preview app). The malware then downloads and executes a malicious x86-64 binary.
Now here’s where it gets technical. From SentinelOne: Since by default macOS won’t allow an application to download from an insecure HTTP protocol, the application’s Info.plist specifies this domain in the dictionary for its NSAppTransportSecurity key and sets the NSExceptionAllowsInsecureHTTPLoads value to “true”. The Info.plist also indicates that the application was built on a macOS 14.2 Sonoma machine but will run on both Intel and Apple silicon Macs with macOS 12 Monterey or later.
Article provided with permission from AppleWorld.Today
