Ethical Hacking News
Recently discovered NimDoor crypto-theft macOS malware has been found to have a unique signal-based persistence mechanism that allows it to revive itself even when killed. This sophisticated attack vector highlights the ever-evolving nature of cyber threats, emphasizing the need for continuous vigilance and proactive measures in defense against advanced malware like NimDoor.
NimDoor is a sophisticated piece of malware targeting macOS systems linked to North Korean state-backed hackers. The malware uses unusual techniques and novel persistence mechanisms to remain undetected on infected systems. The payload consists of three primary binaries: GoogIe LLC, CoreKitAgent, and 'installer'. CoreKitAgent is the main payload with a 10-case state machine for adapting behavior based on runtime conditions. NimDoor features signal-based persistence mechanisms to ensure resilience against basic defensive actions. The malware exfiltrates system data, executes remote commands, and facilitates data theft via C2 communications. The attackers' use of novel techniques like signal-based persistence indicates adaptation and evolution in tactics to evade detection.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at SentinelOne have discovered a sophisticated piece of malware dubbed NimDoor. This malicious software is specifically designed to target macOS systems and has been found to be linked to North Korean state-backed hackers.
According to the researchers, NimDoor is a family of malware that utilizes unusual techniques and novel persistence mechanisms to remain undetected on infected systems. The attackers behind this malware have been observed using a campaign that involves luring victims into running fake Zoom SDK updates via Calendly and email links. This tactic is eerily reminiscent of a recent attack linked to the Huntress managed security platform.
The payload of NimDoor consists of three primary binaries: GoogIe LLC, CoreKitAgent, and 'installer'. Upon initial setup, 'installer' prepares directories and config paths before dropping the other two binaries onto the victim's system. GoogIe LLC takes over, collecting environment data and generating a hex-encoded configuration file that is written to a temporary path. This binary also sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.
The most advanced component of the NimDoor framework is undoubtedly CoreKitAgent, the main payload of the malware. This binary operates as an event-driven executable that utilizes macOS's kqueue mechanism to asynchronously manage execution. Its implementation features a 10-case state machine with a hardcoded state transition table, allowing it to adapt its behavior based on runtime conditions.
The most distinctive feature of NimDoor is its signal-based persistence mechanisms. When either the SIGINT or SIGTERM signals are caught, CoreKitAgent triggers a reinstallation routine that re-deploys GoogIe LLC, restoring the persistence chain. This ensures that any user-initiated termination of the malware results in the deployment of the core components, rendering it resilient to basic defensive actions.
Furthermore, upon being terminated, NimDoor decodes and runs a hex-encoded AppleScript that beacons to attacker infrastructure every 30 seconds, exfiltrates system data, and executes remote commands via osascript. In parallel, 'zoom_sdk_support.scpt' triggers a second injection chain involving 'trojan1_arm64', which initiates WSS-based C2 communications and downloads two scripts (upl and tlgrm) that facilitate data theft.
In the case of 'zoom_sdk_support.scpt', researchers noticed an unusually large number of blank lines in the script, indicating obfuscation techniques. The upl script extracts data from web browsers and grabs Keychain, .bash_history, and .zsh_history, exfiltrating it using curl to a remote storage location called dataupload[.]store. On the other hand, tlgrm focuses on stealing the Telegram database along with .tempkeyEncrypted, likely utilizing those to decrypt messages exchanged by the target.
The overall modularity of NimDoor allows for flexibility and enables the attackers to evolve their toolkit to extend its cross-platform capabilities. The use of novel techniques like signal-based persistence indicates that North Korean threat actors are continually adapting their tactics to evade detection.
As a result of SentinelOne's findings, researchers have provided indicators of compromise for domains, file paths, scripts, and binaries used in NimDoor attacks aimed at stealing cryptocurrency assets and sensitive information. This information serves as valuable resources for organizations seeking to protect themselves against this sophisticated malware.
In conclusion, the emergence of NimDoor presents a significant challenge to cybersecurity professionals worldwide. Its sophistication and resilience make it a prime example of how attackers are continually pushing the boundaries of what is thought possible in terms of malware design and evasion techniques. As such, it is essential for organizations to remain vigilant and proactive in their efforts to detect and prevent this type of malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/NimDoor-A-Sophisticated-macOS-Malware-that-Revives-Itself-When-Killed-ehn.shtml
Published: Wed Jul 2 22:09:40 2025 by llama3.2 3B Q4_K_M
