NimDoor malware attacks cryptocurrency on macOS via fake Zoom update by North Korean hackers

The North Korean hacker group has used the NimDoor backdoor program on macOS to attack cryptocurrency companies through impersonating Zoom updates.

NimDoor operates by distributing fake update packages, stealing data from browsers, Telegram, and encrypted cryptocurrency wallets, while evading Apple’s security systems.

MAIN CONTENT

• North Korean hackers attack via the NimDoor backdoor disguised as a fake Zoom update on macOS.

• This malware steals browser passwords, Telegram data, and encrypted cryptocurrency wallets.

• Experts recommend blocking unsigned installation packages and only downloading updates from the official zoom.us domain.

How has the North Korean hacker group used NimDoor to attack cryptocurrency?

SentinelLabs, a leading cybersecurity company, has just discovered North Korean hackers deploying the NimDoor backdoor on macOS to attack cryptocurrency businesses. The sophisticated tactic exploits psychology by impersonating a Zoom update to spread malware.

First of all, the hacker approached the victim via Telegram, scheduled an appointment using the Calendly app, and prompted the user to download a fake update package containing NimDoor. Once the software is installed, the malware will automatically create a login item to maintain continuous operation and download additional attack modules.

"NimDoor is a typical example of malware using the less common Nim programming language, allowing it to easily bypass Apple's security detection systems."

Statement from SentinelLabs experts, July 2024

What technical characteristics make NimDoor dangerous for cryptocurrency companies?

Written in the less common Nim programming language, NimDoor has the ability to evade most security filters on macOS, which prioritizes the detection of common malware. This malware steals critical data such as passwords stored in browsers, Telegram data, and encrypted cryptocurrency wallet files, increasing the risk of digital asset loss.

Furthermore, its launch alongside the system through an automatic login item helps maintain control over the victim's device without easy detection. This is a technical highlight that cybersecurity organizations warn about.

What are the preventive measures against NimDoor for cryptocurrency companies?

Experts propose three main solutions to mitigate risks from NimDoor. First, completely ban the installation of unsigned software packages to avoid installing malware. Second, only download Zoom updates from the official zoom.us website to avoid mistakenly obtaining fake update packages.

Finally, it is advisable to carefully check the contact list on Telegram, especially unfamiliar accounts, to early detect suspicious behaviors and prevent contact with hackers.

"Protecting cryptocurrency companies from non-traditional attack tactics such as fake updates is our top priority."

CEO of SentinelLabs, July 2024

Examples of detection and consequences of NimDoor in the cryptocurrency industry

In early July 2024, SentinelLabs discovered NimDoor while researching an attack chain against a cryptocurrency company in North America. As a result, a group of employees had hundreds of encrypted cold wallet login files stolen, creating a risk of losing digital assets worth an estimated hundreds of thousands of USD.

This event once again underscores the urgency of increasing vigilance and equipping specialized security systems for cryptocurrency financial organizations.

Considerations about the Nim programming language features in malware development

Nim is a rarely used programming language in security, facilitating hackers to write malware that is difficult to detect. Instead of using languages like C or Python, NimDoor leverages this novelty to bypass macOS detection mechanisms, even though this operating system places great emphasis on security.

NimDoor Malware Criteria Typical macOS Malware Nim Programming Language (less common) Python, C, Objective-C Security Evasion Techniques Runs in the background via login item, sophisticated encryption Easily detected via digital signatures and heuristics Spread Method Fake Zoom update via Telegram Email attachments, downloads from unsafe websites Stolen Data Browser passwords, Telegram, encrypted cryptocurrency wallet Login information, keylogger

Frequently Asked Questions

What is NimDoor and how does it affect cryptocurrency companies? NimDoor is a backdoor software on macOS developed by North Korean hackers, stealing critical data such as passwords and cryptocurrency wallets, posing serious risks to businesses. What is the spread method of NimDoor? NimDoor is spread through a fake Zoom update package sent by hackers via Telegram, combined with an invitation through the Calendly appointment to increase trust. What should cryptocurrency companies do to avoid NimDoor? It is recommended to limit the installation of unsigned software, download updates only from zoom.us, and carefully monitor the Telegram contact list to detect suspicious individuals. Why is NimDoor difficult to detect on macOS? This software uses the rare Nim language, helping it evade traditional security analysis and automatically run in the background via system login items. What are the potential losses when attacked by NimDoor? There may be a loss of control over encrypted cryptocurrency wallets, theft of passwords and Telegram data, leading to significant digital asset risks for businesses.

Source: https://tintucbitcoin.com/nimdoor-tan-cong-tien-so-tren-macos/

Thank you for reading this article!

Please Like, Comment, and Follow TinTucBitcoin to stay updated on the latest news about the cryptocurrency market and not miss any important information!