In a sophisticated new attack on macOS systems, North Korean hackers are utilizing a clever method to bypass Apple's security measures. According to Jamf Threat Labs, the hackers are embedding malware in apps created with Google's Flutter framework, which are then signed with legitimate Apple developer IDs and notarized by Apple itself. These trojanized apps, which appear innocent at first glance, successfully trick macOS’s security protocols into recognizing them as safe, allowing the malware to run without restrictions.

The malicious apps, often themed around cryptocurrency, have been identified as part of an ongoing campaign by North Korean threat actors, known for their involvement in financial theft. The timing and nature of the attack suggest that it could be an experimental operation to test the ability to circumvent macOS security systems rather than a highly targeted and sophisticated strike. However, the potential for such malware to evade detection remains a serious concern.

The applications are built using Flutter, an open-source framework that enables developers to create apps for multiple operating systems from a single codebase written in Dart. This approach gives the hackers versatility, making it harder to detect the malicious code. Unlike typical malware, which might be flagged by antivirus software, these apps passed Apple’s automated security checks and were allowed to run on macOS devices without raising suspicion.

The apps, which were all connected to servers associated with North Korean actors, included games like Minesweeper and simple utilities like a Notepad app. These programs seemed benign, but once launched, they would execute scripts sent from a command-and-control (C2) server linked to North Korea. The malicious code was obfuscated within a dynamic library (dylib), which is loaded by the Flutter engine when the app is run, further complicating detection efforts.

Among the discovered apps, five out of six were signed with valid developer IDs, meaning they passed Apple's notarization process. This notarization confirms that the apps were scanned by Apple's automated systems and deemed safe, which allowed the malware to evade Apple's Gatekeeper defenses temporarily. One app, named New Updates in Crypto Exchange (2024-08-28).app, was found to not only run a Minesweeper game but also contain code that supported AppleScript execution, enabling the app to carry out commands from an external server.

The other apps in the campaign, including New Era for Stablecoins and DeFi, CeFi (Protected).app and Runner.app, were also found to feature similar malicious functionality, including the ability to make network requests to known DPRK-linked domains, which are suspected to be used for further data exfiltration or to control the malware.

In response to these findings, Apple has revoked the developer IDs used for the trojanized apps, preventing them from bypassing Gatekeeper defenses on updated macOS systems. However, it remains unclear whether these apps were ever used in real-world attacks or were only tested in an "in-the-wild" environment to explore new techniques for bypassing macOS security.

While the exact scope of this operation is still uncertain, the ability to bypass macOS security using legitimate developer IDs and notarized apps underscores a significant vulnerability in Apple’s current defense mechanisms. The use of widely available tools like Flutter and the integration of malware into seemingly harmless applications presents a growing challenge for cybersecurity experts and highlights the need for more advanced detection methods to counteract evolving threats.