North Korean hackers are embedding malware within Flutter applications to target macOS devices, according to a new analysis by Jamf.
The security firm said it was the first time it has observed threat actors use the Flutter framework to target macOS.
Flutter is a framework developed by Google to simplify app design for cross-platform applications.
Applications built using Flutter have a uniquely designed layout that provides a large amount of obscurity to the code. This ability to obfuscate by design could help attackers evade cybersecurity defenses.
The domains and techniques in the malware align closely with those used in other Democratic People's Republic of Korea (DPRK) malware.
Read now: North Korean Actor Deploys Novel Malware Campaign Against Crypto Firms
The researchers believe the attackers could be testing a new way of weaponizing malware against macOS. This includes attempting to see if a properly signed app with malicious code obscured within a dylib could get approved by Apple’s notarization server as well as slide under the radar of antivirus vendors. A dylib is a dynamic library that contains declarations and functions referenced by a macOS or iOS application.
“It is not unheard of for actors to embed malware within a Flutter based application, however, this is the first we’ve seen of this attacker using it to go after macOS devices. Although the question remains open on if this was real malware, or a test for a new way to weaponize malware, we remain vigilant in monitoring for further activity by the actor,” the researchers wrote.
Malware Discovered in Three Forms
The discovered malware came in two other forms alongside the Flutter built application. These were a Go variant and a Python variant built with Py2App.
Jamf said the Flutter built application was most notable due to its complexity in reversing.
The Flutter applications created by the malware author were considered to be stage one malware. The researchers identified four infected applications, two of which were signed using a developer signature. Apple subsequently revoked these signatures.
One application was titled New Updates in Crypto Exchange (2024-08-28).app, which was built using Flutter and developed with the Dart programming language.
When executed, the victim is presented with a functional minesweeper game, which appears to be a clone of basic open-source Flutter game on GitHub designed for iOS. The project can be easily cloned and modified to run on macOS.
The researchers discovered the presence of the osascript string, which provides capabilities around AppleScript execution. DPRK hackers have previously been observed adapting to use native AppleScript payloads.
The Golang variant of the malware, titled New Era for Stablecoins and DeFi, CeFi (Protected).app, has similar functionality to the Flutter built application. It invokes osascript to run any AppleScript payload received in the server response.
The Python variant is packaged as a standalone application bundle using Py2App, titled Runner.app. The bundle is signed ad-hoc and launches a functional Notepad application.
The boot script located at Runner.app/Contents/Resources/__boot__.py executes a Python script named notepad_.py. This script leverages tkinter, a built-in Python library for creating GUI applications, for features like opening, editing and saving files.
The variant also uses osascript to execute the server response as AppleScript, allowing the attacker to run arbitrary commands or payloads on the victim’s system.
Image credit: Postmodern Studio / Shutterstock.com