macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration, frequently carrying sensitive data and user groups that are wide. 

Such platforms gain trust among their users as of their pervasiveness as well as high level of acceptance, enabling the hackers to take advantage of such factors and spread malware, steal information, tap conversations, or even break into various organizations. 

Cybersecurity analysts (Patrick Wardle) at Objective-See discovered that North Korean hackers had been actively weaponizing a meeting app, Miro Talk, to target macOS users.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Besides this, the malwarehunterteam also tweeted about this new Mac malware.

Weaponized Meeting App

A malicious disk image (MiroTalk.dmg), undetected by VirusTotal’s AV engines, was analyzed to reveal its capabilities and North Korean (DPRK) attribution. 

The malware, likely part of a job-related phishing campaign, was hosted on a clone of the legitimate Miro Talk site. This tactic aligns with known DPRK hacker methods of targeting victims by posing as job hunters.

The analysis demonstrates how open-source tools like BlockBlock and LuLu can help counter such threats. 

The malware’s connection to a previously documented DPRK campaign by Palo Alto Network’s Unit42 suggests an evolving strategy in North Korean cyber operations.

The analysis result of MiroTalk.dmg file is an unsigned 64-bit Intel Mach-O executable named Jami, which was not detected by VirusTotal. 

The malicious disk image is currently undetected by any of the AV engines on VirusTotal (Source – Objective-See)
The application is not signed (Source – Objective-See)

Symbols and strings embedded inside suggest that it could be used for exfiltration, download, and execution with a possible C2 server at 95.164.17.24:1224. 

The malware may also target crypto-wallet browser extensions, browser data, and the macOS keychain.

It’s likely to be cross-platform (Qt/QMake), written in Python, and contains malicious Python scripts.

Methods of the executable like setBaseBrowserUrl directly reference sensitive browser paths that indicate complex data collection and exfiltration capabilities.

The Jami executable is malware that tries to access the user’s keychain and steal sensitive browser data to a C2 server (95.164.17.24:1224).

Application displays an UI (Source – Objective-See)

Although the initial attempts to exfiltrate failed, the malware API endpoints are similar to those of BeaverTail, which was previously linked with North Korean hackers.

This implies a shift from JavaScript-based threats to native QT variations that have similar targets like cryptocurrency wallets.

The DPRK-linked C2 server also hosts other payloads including client/5346 which is a Python downloader and InvisibleFerret, a cross-platform backdoor.

These findings link this new malware variant with the earlier campaign of BeaverTail indicating the continued maturity of DPRK cyber capabilities.

The analyzed malware, masquerading as MiroTalk, is a new native variant of BeaverTail.

This new variant is capable of stealing information and executing additional Python-based payloads like InvisibleFerret. 

This is evidence of DPRK cyber capability development, as shown by key IoCs like the MiroTalk.dmg file (SHA-256: 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132) C2 server (95.164.17.24).

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

24 hours ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago