macOS
Flutter
Discover how DPRK-backed actors use Flutter apps to bypass Apple security and ta...
A newly discovered macOS app, linked to DPRK, conceals sophisticated malware designed to breach system defenses. The malware uses advanced obfuscation tactics, such as packing the code and encrypting certain components, to evade detection. This campaign, discovered by Jamf Threat Labs, highlights the evolving threat posed by DPRK-backed actors, who often target sensitive data and use techniques such as social engineering and code obfuscation.
This advanced persistent threat (APT) utilizes Flutter-built applications. Flutter's inherent obfuscation capabilities make it highly effective at evading detection. Features like hiding dynamic library calls and obscuring code flow complicate the analysis process, effectively aiding in concealing malicious activity.
The findings mark a concerning escalation in novel methodologies used to breach macOS defenses, including cross-platform tools and techniques to bypass Apple notarization.
### DPRK Targets macOS Using Flutter-Built Malware
In October, Jamf Threat Labs detected several malware samples uploaded to VirusTotal, a widely used malware analysis platform, that initially evaded detection despite exhibiting malicious behavior. Analysis of these samples pointed toward DPRK actors, with techniques aligning closely with previously observed malware campaigns.
Disturbingly, some malware versions had even managed to pass Apple's notarization process temporarily, indicating sophisticated obfuscation and manipulation tactics.
### Complexity of the Flutter Packaging
The malware was discovered in three different packaging forms: Go, Python, and Flutter. Among these, the Flutter variant stood out due to its complexity in reversing and analysis. Flutter, a cross-platform framework developed by Google, is typically used for consistent app design across platforms like macOS, iOS, and Android. For legitimate developers, Flutter's ability to write once and deploy across multiple platforms saves significant development time and resources, making it an attractive option. These same benefits also appeal to attackers, as they can create malware with broader reach and less effort.
For example, popular apps like Google Ads and Alibaba are built using Flutter, demonstrating its versatility for creating high-performance cross-platform solutions. Its cross-platform capabilities are appealing to attackers because they can create malware that works across multiple operating systems with minimal adjustments, broadening the scope of potential targets. Its use makes malware more challenging to analyze due to the obfuscation capabilities inherent in how Flutter compiles its applications. Its unique structure, particularly the use of the Dart programming language compiled into dynamic library (dylib) files, makes the code inherently obscure, providing a natural avenue for obfuscation.
In standard Flutter applications, the app logic is encapsulated in a dylib, loaded by the Flutter engine rather than directly by the primary executable. This level of abstraction complicates the analysis process as the dylib is not explicitly referenced in the main application executable. While this architecture is designed to optimize cross-platform compatibility, it inadvertently serves as a highly effective method for concealing malicious logic.
***Flutter Layout (Source: Jamf)***
### Anatomy of the Discovered Malware
The identified malware functions as a stage-one payload, meaning it serves as the initial component in a multi-stage attack designed to establish a foothold, gather information, or prepare the system for more complex payloads that follow. Among the samples, six infected applications were detected, with five bearing valid developer signatures that had already been revoked by Apple at the time of discovery. One such app, titled _"New Updates in Crypto Exchange,"_ presented itself as a functional minesweeper game. However, upon execution, it initiated a network request to a domain (_“mbupdate[.]linkpc[.]net”_) previously linked to DPRK malware campaigns.
The malicious code was deeply embedded within the application, with pre-compiled Dart snapshots complicating any decompilation or analysis attempts due to the need for specialized tools and the extra layer of abstraction that Dart introduces. Further investigation revealed that the malware could execute remote AppleScript commands, such as launching applications, modifying system settings, or downloading additional malicious components. This capability allows attackers to take control of infected devices using sophisticated payload delivery mechanisms.
### Golang and Python Variants
In addition to the Flutter version, Jamf Threat Labs also [identified](https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/) Go and Python variants of the malware. The [Golang](https://www.secureblink.com/cyber-security-news/chinese-hackers-dragon-spark-use-golang-to-launch-espionage-attacks) variant, similarly signed and notarized by Apple, mirrored the network request and payload execution seen in the Flutter version.
This included making HTTPS requests to command-and-control servers and executing payloads, using comparable obfuscation and scripting techniques. The use of different programming languages, such as Golang and Flutter, highlights the attackers' adaptability and their ability to exploit various ecosystems, which complicates detection and mitigation by requiring different analysis tools and expertise for each language. This further demonstrated the attackers' adeptness at exploiting different programming ecosystems to maintain their campaign's adaptability.
***Trojanized Mindsweeper (Source: Jamf)***
The Python variant, built using Py2App, was crafted as a standalone application. While it appeared to be a functional notepad app, malicious components were embedded within the Python script, enabling it to send and execute commands from a remote server. The consistent use of 'osascript' across these variants suggests a preference for exploiting native macOS features to achieve execution. Leveraging native features like 'osascript' allows attackers to exploit macOS's trusted components, such as built-in automation tools like Automator, making the malware more difficult to detect and resist. By leveraging its trusted status within macOS environments, attackers make detection even more challenging.
For instance, 'osascript' has been previously used in malware attacks to execute AppleScript commands, which are often trusted by the system and less likely to trigger traditional antivirus alerts, making this technique particularly effective in avoiding detection.
### A New Testing Ground for Future Attacks?
The findings suggest that this malware campaign could be a test run for future, more extensive attacks. The use of legitimate-looking applications, such as those with similar names to popular software or polished user interfaces, along with signed developer accounts and advanced obfuscation techniques, suggests a deliberate effort to bypass security measures. This points towards a strategic probing of macOS's security architecture, indicating attackers' intent to identify and exploit weaknesses in the system. DPRK's history of leveraging sophisticated social engineering campaigns further raises concerns about the potential evolution of these malware tools.
The clear mismatch between the content of these apps and their filenames—where the app names suggest legitimate functionality, but the actual code contains malicious behavior—implies an attempt to test whether Apple’s notarization process could be circumvented with carefully concealed malicious components. Additionally, the use of Flutter as a delivery mechanism is a novel approach for DPRK actors, demonstrating their willingness to experiment with different frameworks and methodologies to evade security measures.
### Conclusion and Implications for macOS Security
The discovery of DPRK-backed malware utilizing Flutter-built applications to target macOS users highlights the evolving threat landscape. This sophisticated campaign illustrates how attackers refine their tactics to exploit legitimate development frameworks and leverage vulnerabilities in Apple's notarization process. Although it remains uncertain whether this specific malware campaign was intended for broad deployment or as a proof of concept, it underscores the need for heightened vigilance and more robust security defenses for macOS. To counter these threats effectively, measures could include stricter application signing requirements, enhancing behavioral detection systems using machine learning-based anomaly detection tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint), and employing advanced threat-hunting tools like Splunk or Carbon Black to identify unusual patterns and vulnerabilities.
Jamf Threat Labs remains committed to monitoring and analyzing further developments in this campaign, ensuring that macOS users are well-protected against emerging threats.
### Indicators of Compromise (IOCs)
The following domains, signatures, and application identifiers have been flagged as part of this investigation:
- Domain: mbupdate[.]linkpc[.]net
- Applications: "New Updates in Crypto Exchange (2024-08-28).app"
- Malware signatures: Flutter dylib containing Dart snapshots (_kDartVmSnapshotData, _kDartIsolateSnapshotInstructions)
For detailed technical insights and mitigations, Jamf Threat Labs has your back—while Jamf solutions ensure macOS security for everything else.
