Researchers at Jamf have identified a new macOS malware variant linked to North Korean hackers, specifically the Lazarus Group. This malware is embedded within applications developed using Flutter, an open-source framework by Google, which inherently obfuscates code, making detection and analysis more challenging.
The malware was discovered in late October through VirusTotal, a file analysis tool, and was found to bypass Apple’s notarization process—a security measure designed to ensure macOS applications are free from known malware. The malicious code was embedded in a clone of the popular game Minesweeper, sourced from a GitHub repository. The malware’s infrastructure and techniques closely align with those previously attributed to the Lazarus Group, known for financially motivated cyber operations targeting cryptocurrency sectors.
While it’s unclear whether this malware has been actively deployed or is still in the testing phase, its sophistication underscores the evolving tactics of state-sponsored hacking groups. The use of Flutter for malware development is notable due to its cross-platform capabilities and default code obfuscation, which complicates detection and analysis efforts.
This discovery highlights the importance of vigilance among macOS users, especially those involved in cryptocurrency, as they may be prime targets for such advanced threats. It also emphasizes the need for continuous advancements in security measures to counteract the evolving strategies of cyber adversaries.
