Intrusions with malware-laced Flutter applications signed with Apple developer IDs have been deployed by North Korea-linked threat actors against macOS devices, reports The Hacker News.
Attackers leveraged the cross-platform app development framework Flutter to create the Minesweeper-emulating "New Updates in Crypto Exchange" app, which when executed prompts a Dart-based primary payload to facilitate AppleScript code execution, according to a report from Jamf Threat Labs. Another pair of apps, namely NewEra for Stablecoins and DeFi, CeFi (Protected) and Runner, have also been used by malicious actors to deliver Go and Python versions of the malware, respectively, noted researchers. "Malware discovered from the actor over the past years comes in many different variants with frequently updated iterations. We suspect this in efforts to remain undetected and keep malware looking different on each release," said Jamf Threat Labs Director Jaron Bradley. No specific threat operation has been identified as being behind the attacks but techniques used resembled those of Lazarus sub-group BlueNoroff while game-related lures were noted to have been leveraged by Moonstone Sleet.