macOS Malware Steals Keychain Data via Process Injection and Remote Communication

In a significant escalation of cyber threats targeting the cryptocurrency sector, security researchers have uncovered a sophisticated North Korean (DPRK)-linked campaign using Nim-compiled binaries and advanced multi-stage attack chains against Web3 and crypto-related businesses.

The operation, collectively dubbed “NimDoor,” demonstrates novel macOS malware techniques, including process injection and encrypted remote communication, previously rarely seen on this platform.

Unusual Process Injection and Encrypted Command Channels

The campaign’s initial access relies on classic social engineering. Attackers impersonate trusted contacts on Telegram, luring targets to fake Zoom meetings and persuading them to run a malicious AppleScript update script.

The script, hosted on domains mimicking legitimate Zoom URLs, fetches further payloads, ultimately dropping two Mach-O binaries (a and installer) into the system’s temporary directories.

The a binary, C++-compiled, uses password-derived keys and layered AES encryption to decrypt additional payloads, including the malicious trojan1_arm64.

In a rare move for macOS malware, a it launches a benign process (“Target”) in a suspended state, injects code from trojan1_arm64, and resumes execution, granting attackers stealthy code execution capabilities.

This injected process then initiates encrypted communications with attacker-controlled command-and-control (C2) servers using the wss protocol, the TLS-encrypted variant of WebSockets.

Communication is additionally protected by multi-layered RC4 encryption and unique base64-encoded keys, posing challenges for traditional network monitoring.

Persistence via Signal Handlers and AppleScript Beacons

The second binary, installer, is compiled from Nim and orchestrates persistence. It drops further Nim binaries under deceptive names (GoogIe LLC and CoreKitAgent) to system folders mimicking legitimate macOS application structures.

Notably, the malware establishes persistence through macOS LaunchAgents and a unique mechanism. By setting SIGINT/SIGTERM signal handlers, it ensures that attempts to terminate the malware or reboot the system trigger the reinstallation of its components. This approach thwarts basic attempts at manual malware removal.

Beyond binaries, the attackers widely deploy AppleScript, both for initial access and as lightweight beacons and backdoors.

Decoded AppleScripts, disguised by obfuscated hex strings, beacon out system process data to C2 addresses every 30 seconds and are capable of executing attacker-supplied code on command.

Bash scripts play a role in exfiltrating sensitive data: browser profiles, Keychain credentials, and Telegram data are collected, compressed, and uploaded to remote servers.

Emerging Trend: Nim and Advanced Obfuscation

Analysis emphasize that the use of Nim alongside custom encryption routines, signal-based persistence, and creative abuse of native scripting marks a new level of sophistication for macOS malware.

As cross-platform languages like Nim gain traction among threat actors, defenders and security teams are urged to deepen their understanding of both these languages and the novel attack patterns they enable.

Indicators of Compromise

Domains

dataupload[.]store	upl/tlgrm C2
firstfromsep[.]online	netchk C2
safeup[.]store	CoreKit C2
support[.]us05web-zoom[.]pro	zoom_sdk_support.scpt C2
writeup[.]live	CoreKit C2