BleepingComputer reports that organizations in the cryptocurrency and Web3 sectors have been targeted by North Korean state-sponsored threat actors in attacks involving the new sophisticated NimDoor macOS malware that seeks to compromise cryptocurrency assets and sensitive information.Intrusions commence with communications in Telegram, followed by the delivery of email and Calendly invites containing a bogus Zoom SDK update, which contains the NimDoor malware, a report from SentinelOne's SentinelLabs researchers showed. After initial staging, NimDoor's 'installer' binary facilitates the deployment of the 'GoogIe LLC' binary, which obtains environment data and ensures persistence through a macOS LaunchAgent, and the 'CoreKitAgent' binary, which serves as the NimDoor framework's primary payload. Additional findings revealed CoreKitAgent's decoding and running of an AppleScript to allow system data exfiltration and remote command execution, with the malware's execution coinciding with a secondary injection chain concluding in the loading of a pair of scripts that enable the pilfering of browser data and Telegram messages.
