The North Korean hacker group targets cryptocurrency and Web3 companies with the sophisticated NimDoor malware campaign.
This campaign uses social engineering methods and complex encryption to infiltrate Mac systems to steal sensitive data and maintain long-term control of the device.
MAIN CONTENT
Hackers create fake Zoom update pages to trick users into downloading malware.
NimDoor malware steals passwords, browser data, and encrypted Telegram messages.
The tactic of maintaining long-term access, resistant to removal by self-reinstalling on Mac.
How do North Korean hackers attack cryptocurrency and Web3 targets?
The NimDoor malware was discovered by SentinelLabs as an organized attack campaign, starting through Telegram and a ruse of faking Zoom software updates to deceive Mac users. Hackers create fake domains closely resembling the real Zoom URL to trick email recipients into downloading fake update files.
SentinelLabs has recorded fake domains such as support.us05web-zoom.forum and support.us05web-zoom.cloud created with thousands of lines of meaningless code to disguise malware containing three actual attack lines, helping to download malicious modules from hacker servers. This tactic not only targets individuals but also aims at multiple victims with distinct custom domains.
How is the Zoom update spoofing method implemented?
The attacker impersonates an acquaintance via Telegram, then lures the user to schedule a meeting via Calendly with fake Zoom links. The email inviting to download the software update actually contains malware designed to look like Zoom's support file but contains typos such as 'Zook SDK Update'. This is a sign that helps security experts detect and monitor the campaign.
The NimDoor campaign demonstrates sophisticated techniques by disguising malware within legitimate software update files, tricking users into thinking they are performing a normal Zoom update.
Quoted from the SentinelLabs Report, 2024
What type of information does the NimDoor malware steal?
NimDoor is designed specifically to steal passwords stored on many popular browsers like Google Chrome, Firefox, Microsoft Edge, Brave, Arc, as well as login information and browsing history. Additionally, NimDoor also copies system passwords stored on Mac and files related to command execution history.
Notably, the malware includes components focused on stealing Telegram data, including encrypted chat databases and decryption keys, allowing hackers to access private conversations offline. The stolen data is packaged and sent to servers controlled by hackers through encrypted connections, ensuring confidentiality during transmission.
NimDoor employs advanced programming languages like Nim and C++ to evade security programs while using fake filenames and legitimate disguise locations to maintain long-term access.
Technical analysis by SentinelLabs, updated June 2024
What tactics help NimDoor maintain persistence on Mac devices?
The malware uses an automatic reinstallation technique when detected and removed by users or security software, by backing up copies into hidden folders named after Google services with minor typos. These files are granted permission to auto-start with the system, ensuring NimDoor operates continuously after each reboot.
Additionally, a lightweight monitoring program communicates every 30 seconds with the hacker server, reporting status and receiving new commands via encrypted web traffic, making it very difficult to detect. The malware also delays activation for 10 minutes to avoid immediate detection by suspicious behavior scanning software.
Why does NimDoor's persistence strategy make removal difficult?
Ordinary users often cannot completely remove NimDoor because it automatically regenerates when deleted. Cleaning the system typically requires intervention from advanced security tools or professional technical support, ensuring safety for organizations and individuals in the cryptocurrency space once infected.
Frequently Asked Questions
Which unit discovered the NimDoor malware? The NimDoor campaign was discovered and detailed by SentinelLabs in 2024 with extensive technical analysis. Which channel do hackers use to trick users into downloading malware? Hackers impersonate acquaintances via Telegram, then send emails inviting them to download fake Zoom update files containing malware. What information does NimDoor steal from victim machines? NimDoor takes browser passwords, login data, browsing history, Mac system passwords, and Telegram chat data. Why is NimDoor difficult to remove from computers? NimDoor automatically backs up and reinstalls in hidden folders with fake names, operating as a continuous monitor, making it hard to eliminate. How can users effectively prevent NimDoor attacks? Users need to be cautious with unfamiliar software update emails and links, use updated security software, and pay attention to unusual typos in downloaded files.
Source: https://tintucbitcoin.com/nim-malware-tan-cong-web3-tien-dien-tu/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated with the latest news about the cryptocurrency market and not miss any important information!
