APT Actors Embed Malware in macOS Flutter Applications: A New Threat Landscape
APT actors linked to North Korea are embedding malware in macOS applications built with Flutter, utilizing advanced obfuscation techniques to evade detection and potentially compromise user systems.
MALWAREADVANCED PERSISTENT THREAT (APT)
11/12/20242 min read
In a concerning development for macOS users, Jamf Threat Labs has uncovered a sophisticated malware campaign believed to be orchestrated by threat actors associated with North Korea (DPRK). This discovery highlights a new tactic in which malicious code is embedded within applications built using the Flutter framework, effectively evading traditional security scans[1].
The Malware's Modus Operandi
The malware, discovered in late October 2024, comes in three variants:
1. A Flutter-built application
2. A Go variant
3. A Python variant built with Py2App
The Flutter variant, which is the focus of this analysis, presents itself as a functional minesweeper game. However, upon execution, it makes a network request to a domain previously linked to DPRK malware[1].
Obfuscation Techniques
What makes this malware particularly insidious is its use of Flutter's unique app architecture. The malicious code is hidden within a dylib file, which is not directly loaded by the main application, making it challenging for security tools to detect[1].
Functionality and Payload Delivery
The malware acts as a stage one payload, attempting to fetch a stage two payload from a remote server. If successful, it can execute AppleScript code returned by the server, potentially allowing attackers to run arbitrary commands on the victim's system[1].
Multiple Variants, Same Threat
While the Flutter variant is the most complex, the Go and Python variants exhibit similar behavior. They all attempt to connect to the same domain and execute remote AppleScript payloads[1].
Signs of Sophistication
Interestingly, some samples were found to have been signed and temporarily passed Apple's notarization process, though these signatures have since been revoked. This suggests a high level of sophistication and possibly a test run for future, more widespread attacks[1].
## Implications and Precautions
This discovery underscores the evolving nature of threats targeting macOS. Users should exercise caution when downloading applications, even those that appear legitimate or are signed. Keeping systems updated and using reputable security software remains crucial.
As threat actors continue to innovate, the cybersecurity community must remain vigilant. This incident serves as a reminder that no platform is immune to potential security risks, and constant adaptation in defense strategies is necessary.
Citations:
