macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration, frequently carrying sensitive data and user groups that are wide. 

Such platforms gain trust among their users as of their pervasiveness as well as high level of acceptance, enabling the hackers to take advantage of such factors and spread malware, steal information, tap conversations, or even break into various organizations. 

Cybersecurity analysts (Patrick Wardle) at Objective-See discovered that North Korean hackers had been actively weaponizing a meeting app, Miro Talk, to target macOS users.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Besides this, the malwarehunterteam also tweeted about this new Mac malware.

Weaponized Meeting App

A malicious disk image (MiroTalk.dmg), undetected by VirusTotal’s AV engines, was analyzed to reveal its capabilities and North Korean (DPRK) attribution. 

The malware, likely part of a job-related phishing campaign, was hosted on a clone of the legitimate Miro Talk site. This tactic aligns with known DPRK hacker methods of targeting victims by posing as job hunters.

The analysis demonstrates how open-source tools like BlockBlock and LuLu can help counter such threats. 

The malware’s connection to a previously documented DPRK campaign by Palo Alto Network’s Unit42 suggests an evolving strategy in North Korean cyber operations.

The analysis result of MiroTalk.dmg file is an unsigned 64-bit Intel Mach-O executable named Jami, which was not detected by VirusTotal. 

Symbols and strings embedded inside suggest that it could be used for exfiltration, download, and execution with a possible C2 server at 95.164.17.24:1224. 

The malware may also target crypto-wallet browser extensions, browser data, and the macOS keychain.

It’s likely to be cross-platform (Qt/QMake), written in Python, and contains malicious Python scripts.

Methods of the executable like setBaseBrowserUrl directly reference sensitive browser paths that indicate complex data collection and exfiltration capabilities.

The Jami executable is malware that tries to access the user’s keychain and steal sensitive browser data to a C2 server (95.164.17.24:1224).

Although the initial attempts to exfiltrate failed, the malware API endpoints are similar to those of BeaverTail, which was previously linked with North Korean hackers.

This implies a shift from JavaScript-based threats to native QT variations that have similar targets like cryptocurrency wallets.

The DPRK-linked C2 server also hosts other payloads including client/5346 which is a Python downloader and InvisibleFerret, a cross-platform backdoor.

These findings link this new malware variant with the earlier campaign of BeaverTail indicating the continued maturity of DPRK cyber capabilities.

The analyzed malware, masquerading as MiroTalk, is a new native variant of BeaverTail.

This new variant is capable of stealing information and executing additional Python-based payloads like InvisibleFerret. 

This is evidence of DPRK cyber capability development, as shown by key IoCs like the MiroTalk.dmg file (SHA-256: 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132) C2 server (95.164.17.24).

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.