NimDoor: The sophisticated North Korean malware that threatens macOS users through Zoom and Telegram scams

  • NimDoor is a new malware created by North Korean hackers, targeting macOS and especially cryptocurrency and Web3 companies.
  • The infection spreads through fake Zoom links and Telegram contacts, using advanced social engineering techniques.
  • The malware combines several unusual programming languages ​​in macOS campaigns, including Nim, C++, Bash, and AppleScript, and employs difficult-to-remove persistence mechanisms.
  • Among the compromised data are Keychain credentials, browser information, and Telegram databases, requiring increased caution and the adoption of new security measures.
Alberto Navarro

4 minutes

Generic image of North Korean malware on macOS

In the last months, Cybersecurity experts have focused on a sophisticated computer attack targeting macOS users., especially those who work in sectors related to Cryptocurrencies and Web3The deployment of this new malware of North Korean origin, dubbed NimDoor, has generated considerable excitement in the technology community due to its advanced combination of techniques and the difficulty of its detection and elimination.

This is not just any threat. NimDoor stands out for using unusual languages ​​in malicious campaigns on macOS. –such as Nim, C++, Bash and AppleScript–, which gives it a special ability to go undetected and remain active on infected systems. Its main objective is to compromise the security of companies and profiles linked to digital assets, a booming industry that is particularly attractive to international cybercriminals.

This is how NimDoor works: the Zoom and Telegram tandem, the gateway

Phishing attack image using Zoom and Telegram

The first step in these plan North Korean hackers begins through Telegram, where they contact the potential victim posing as a trusted collaborator or contact. After starting the conversation, they propose scheduling a video call and then send a email that appears to be a legitimate Zoom invitationThis email contains a disguised link that directs you to download a malicious file disguised as a "Zoom SDK" update.

What's especially clever is that this file, designed for macOS, incorporates more than 10.000 lines of white space before the code, making it extremely difficult for security systems and researchers to analyze. Once the victim runs the file thinking it's a legitimate update, The malware is activated and an encrypted connection is established with a remote server controlled by the attackers.

The malware deployment doesn't end there: Malicious software develops persistence mechanisms on the device, so that if the user removes the malware or restarts the computer, NimDoor can automatically reinstall itself and continue operating unnoticed. This capability increases the risk and difficulty of completely cleaning the affected system.

malware
Related article:
New malware for macOS appears in cryptocurrency trading

Innovative techniques and compromised data

North Korean malware stealing data on macOS

Research published by firms such as Sentinel Labs They emphasize that NimDoor is one of the most elaborate attacks against macOS in recent years.. The combination of languages ​​and the use of techniques such as process injection and communications through encrypted WSS protocol (TLS) complicate the work of current antivirus and detection systems.

The magnitude of the potential damage is considerable, since NimDoor has the ability to extract credentials stored in the operating system's Keychain, accessing data from web browsers, and in some cases, even stealing Telegram user databases on the infected device. This scope makes the threat especially relevant for companies that handle sensitive information or digital financial resources.

Another innovative aspect that has attracted attention is the persistence mechanism of malware, which activates by intercepting system signals – such as SIGINT or SIGTERM – allowing the software to reinstall itself and continue running in the background even if the process is stopped or deleted.

Malwarebytes
Related article:
Malware in macOS exists but falls this 2020 according to Malwarebytes

Why NimDoor is so worrying and how to protect yourself

Security measures against North Korean malware

The seriousness of this type of attack lies in the combination of social engineering and technical sophisticationThe use of popular communication channels like Telegram and Zoom, along with the simulation of real conversations and emails, makes it very difficult for the average user to identify the threat before it's too late.

To reduce the risk of infection, experts insist on some basic safety tips:

  • Always be wary of unexpected emails, even if they appear legitimate or come from known contacts.
  • Avoid downloading or executing attachments that you have not expressly requested, especially if they have a technical aspect (updates, SDKs, etc.).
  • Check the sender's name and domain of any suspicious email before clicking on links or downloading files.
  • Use antivirus and threat analysis solutions updated and keep the operating system up to date.
  • For companies, adopt multi-factor authentication and training employees in detecting phishing attempts are essential measures today.

This case demonstrates that, although macOS is often perceived as a more secure platform than other systems, no environment is free from risk when attackers employ such advanced and persistent strategies as those described here.

Related article:
Check if you have the "mshelper" malware on macOS and we will tell you how to remove it

Buy a domain
You might be interested in:
The secrets to launching your website successfully