macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.
OPENCTI LABELS :
macos,cryptocurrency,process injection,web3,applescript,websocket,nimdoor
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware