macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration, frequently carrying sensitive data and user groups that are wide. 

Such platforms gain trust among their users as of their pervasiveness as well as high level of acceptance, enabling the hackers to take advantage of such factors and spread malware, steal information, tap conversations, or even break into various organizations. 

Cybersecurity analysts (Patrick Wardle) at Objective-See discovered that North Korean hackers had been actively weaponizing a meeting app, Miro Talk, to target macOS users.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Besides this, the malwarehunterteam also tweeted about this new Mac malware.

Weaponized Meeting App

A malicious disk image (MiroTalk.dmg), undetected by VirusTotal’s AV engines, was analyzed to reveal its capabilities and North Korean (DPRK) attribution. 

The malware, likely part of a job-related phishing campaign, was hosted on a clone of the legitimate Miro Talk site. This tactic aligns with known DPRK hacker methods of targeting victims by posing as job hunters.

The analysis demonstrates how open-source tools like BlockBlock and LuLu can help counter such threats. 

The malware’s connection to a previously documented DPRK campaign by Palo Alto Network’s Unit42 suggests an evolving strategy in North Korean cyber operations.

The analysis result of MiroTalk.dmg file is an unsigned 64-bit Intel Mach-O executable named Jami, which was not detected by VirusTotal. 

The malicious disk image is currently undetected by any of the AV engines on VirusTotal (Source – Objective-See)
The application is not signed (Source – Objective-See)

Symbols and strings embedded inside suggest that it could be used for exfiltration, download, and execution with a possible C2 server at 95.164.17.24:1224. 

The malware may also target crypto-wallet browser extensions, browser data, and the macOS keychain.

It’s likely to be cross-platform (Qt/QMake), written in Python, and contains malicious Python scripts.

Methods of the executable like setBaseBrowserUrl directly reference sensitive browser paths that indicate complex data collection and exfiltration capabilities.

The Jami executable is malware that tries to access the user’s keychain and steal sensitive browser data to a C2 server (95.164.17.24:1224).

Application displays an UI (Source – Objective-See)

Although the initial attempts to exfiltrate failed, the malware API endpoints are similar to those of BeaverTail, which was previously linked with North Korean hackers.

This implies a shift from JavaScript-based threats to native QT variations that have similar targets like cryptocurrency wallets.

The DPRK-linked C2 server also hosts other payloads including client/5346 which is a Python downloader and InvisibleFerret, a cross-platform backdoor.

These findings link this new malware variant with the earlier campaign of BeaverTail indicating the continued maturity of DPRK cyber capabilities.

The analyzed malware, masquerading as MiroTalk, is a new native variant of BeaverTail.

This new variant is capable of stealing information and executing additional Python-based payloads like InvisibleFerret. 

This is evidence of DPRK cyber capability development, as shown by key IoCs like the MiroTalk.dmg file (SHA-256: 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132) C2 server (95.164.17.24).

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

5 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

5 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago