North Korean threat actors have introduced a novel approach for macOS malware delivery by embedding malware within Flutter applications. This marks the first time this tactic has been adopted to infect Apple macOS devices, potentially signaling a new threat landscape.
The discovery was made by Jamf Threat Labs, based on malware artifacts uploaded to VirusTotal earlier this month. The Flutter-built applications are part of a broader set of malware that includes samples written in Golang and Python. Although it’s unknown how these malware-laden apps are distributed, North Korean actors are known for social engineering attacks targeting cryptocurrency and decentralized finance (DeFi) sector employees.
“We suspect these samples are currently being tested and may not yet have been distributed,” said Jaron Bradley, director at Jamf Threat Labs. Jamf has yet to attribute the attack to a specific North Korean-linked hacking group, but infrastructure overlaps suggest it may be tied to Lazarus subgroup BlueNoroff. Similarities were noted with malware from the KANDYKORN campaign and the Hidden Risk campaign, recently reported by SentinelOne.
Key Tactics: The malware, masked as a functional Minesweeper game named “New Updates in Crypto Exchange (2024-08-28),” leverages Flutter to embed its main payload in Dart. The game appears to be a clone of a basic Flutter-based game available on GitHub, consistent with game-themed malware seen in attacks by Moonstone Sleet, another North Korean group.
These apps were initially signed and notarized with legitimate Apple developer IDs—Baltimore Jewish Council, Inc. (3AKYHFR584) and Fairbanks Curling Club Inc. (6W69GC943U)—suggesting the attackers bypassed Apple’s notarization requirements. The signatures have since been revoked.
Upon execution, the malware contacts a remote server (mbupdate.linkpc[.]net), receiving AppleScript code that it writes backwards before execution. Variants written in Go and Python were also identified, with similar functionality allowing them to execute any AppleScript payload received from a server response.
Jamf noted that North Korean threat actors are diversifying their malware with multi-language implementations, including Golang, Python, and Dart, to target cryptocurrency entities. These frequent updates and language shifts may be intended to evade detection and adapt to security advancements.
“In the case of Dart, we suspect the actors recognize Flutter’s architecture as ideal for obscurity,” Bradley added, noting the relative difficulty in analyzing Flutter applications once they’re compiled.
