North Korean Malware Attacks Mac Users in Crypto Industry - 1

Image by DC Studios, from Freepik

North Korean Malware Attacks Mac Users in Crypto Industry

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

In a Rush? Here are the Quick Facts!

  • The hacking group, BlueNoroff, launched the “Hidden Risk” campaign in April 2023.
  • Malware spreads via fake cryptocurrency news updates in phishing emails.
  • Attack enables remote control and data theft from infected devices.

A new report by cybersecurity firm SentinelOne highlights a wave of advanced malware attacks targeting cryptocurrency firms, specifically those using macOS devices.

The attacks, attributed to North Korean hackers associated with the “BlueNoroff” group, employ phishing emails and deceptive links to infiltrate corporate systems and steal funds.

Technical evidence linked the campaign to BlueNoroff, a subgroup recently identified by the U.S. Treasury as part of Lazarus , North Korea’s most notorious government-backed hacking group, as noted by The Record .

The BlueNoroff campaign, known as “Hidden Risk,” reportedly began in April 2023 and uses fake cryptocurrency news updates to lure victims.

Malicious applications disguised as PDF documents trick users into downloading malware. These phishing emails often appear to be from reputable sources in the crypto industry, containing links to “reports” that, instead, install a malware application.

Titles like “Hidden Risk Behind New Surge of Bitcoin Price” are crafted to look credible, duping users into opening the files.

SentinelOne’s report highlights an innovative tactic within the campaign: using the “zshenv” file, a hidden macOS system file, to keep the malware persistent. This method allows the malware to evade detection by not triggering typical macOS security alerts.

Once embedded, the malware installs a backdoor, enabling attackers to remotely control infected devices, execute commands, and harvest data.

This campaign aligns with North Korea’s long-standing interest in cryptocurrency as a funding source. In September 2024, the FBI issued warnings about North Korean hackers targeting decentralized finance (DeFi) platforms and crypto firms through phishing.

The “Hidden Risk” campaign underscores the group’s evolving techniques, particularly in targeting macOS vulnerabilities.

SentinelOne’s findings underscore the importance of caution in the crypto industry. Security experts recommend that firms enhance their security protocols, educate employees on phishing threats, and exercise caution when handling unexpected emails or applications.

ToxicPanda Malware Hits Banks Across Europe And Latin America - 2

Image by Freepik

ToxicPanda Malware Hits Banks Across Europe And Latin America

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

In a Rush? Here are the Quick Facts!

  • Over 1,500 devices infected across Italy, Portugal, Spain, and Latin America.
  • Malware bypasses bank security, enabling fraud through account takeover and On-Device Fraud.
  • ToxicPanda is still in early development, with incomplete commands in its code.

In October 2024, Cleafy’s Threat Intelligence team discovered a new Android banking Trojan campaign, initially linked to the known TgToxic family of malware. However, after further investigation, it became clear that this new malware was different, leading experts to track it under the name ToxicPanda.

In their recent report , the analysts explain that ToxicPanda is designed to steal money from compromised devices by bypassing bank security measures.

The malware uses a technique called On-Device Fraud (ODF), which allows attackers to take control of a victim’s bank account without the person’s knowledge. It can bypass identity verification and behavioral detection systems that banks use to flag suspicious activities.

The researchers explain that ToxicPanda works by exploiting Android’s accessibility services. This allows it to gain control over a victim’s device, intercept one-time passwords (OTPs), and carry out fraudulent bank transactions. It can also hide its presence on the phone, making it harder for antivirus software to detect.

However, the report notes that the malware is still in early development. Some parts of its code are incomplete, with commands that don’t yet do anything.

Despite this, ToxicPanda has already managed to infect over 1,500 Android devices across Italy, Portugal, Spain, and Latin America. These infected devices are being used in attacks on 16 different banking institutions.

The threat actors (TAs) behind ToxicPanda are suspected to be Chinese speakers, marking a shift in the regions they target.

It is uncommon for Chinese-speaking cybercriminals to focus on banking fraud in Europe and Latin America. The researchers suggest that this might indicat a potential change in their operational focus.

Although ToxicPanda is not as advanced as some other banking trojans, it shares similarities with previous malware like TgToxic.

The report suggest that the malware’s developers appear to be new to targeting financial institutions outside their home regions, which may explain its somewhat basic code and limited features.

ToxicPanda’s spread has been significant, with Italy seeing the highest number of infections, followed by countries like Portugal, Spain, and Peru. This broad geographic reach signals that the malware creators are expanding their targets to include more countries, especially in Latin America.

In conclusion, ToxicPanda is a growing threat that highlights the increasing sophistication of mobile banking fraud. While the malware is still developing, its rapid spread across multiple regions shows that cybercriminals are becoming more focused on exploiting banking systems worldwide.