Detail

This time malware was reported targets macOS only. It was found on the VirusTotal service, where people check files for viruses. But strangely, the infected programs were marked as “clean”. The malicious code was written in three versions: Go, Python and using the Flutter open source software framework, 24 Channels reports with reference to CyberScoop report.

Flutter is a framework from Google that allows developers to build apps for iOS, Android, and other platforms based on a single code base in Dart. Flutter is popular for its cross-platform simplicity, but its design also makes it a dream tool for attackers; because the internal code structure makes it very difficult to analyze the “guts” of a finished application. This means hackers can more easily inject and hide malicious code without being immediately detected by security researchers.

In one case, malware acted like a simple Minesweeper gamecopied directly from GitHub and malicious code hidden in dylib. This complex code tried to connect to command and control server (C2) on mbupdate[.]linkpc[.]net, a domain name containing links to previous North Korean malware.

When researchers discovered the campaign, the server was down and only showing a “404 Not Found” error, so it appears the attack was either completed or not yet fully deployed. But the malware was cunning enough to evade Apple’s verification process; macOS security systems think this is safe.

Minesweeper game where malicious code is hidden / Screenshot 24 Kanal/CyberScoop

The malware was configured to execute AppleScript commands sent from the server and even executed them in reverse to avoid detection. Tests confirmed that the virus was able to remotely execute any AppleScript command sent by the C2 server. It could give hackers full control if the attack happens in real time.

So far this looks like a test run. Researchers suspect that the purpose of this program is not to attack users. Apparently with the help of Minesweeper North Korean hackers test ways to use malware to bypass Apple’s defensesthen using this experience in other programs and sending infected applications to the right people.

Flutter itself is not malicious, but it is deliberately designed to hide code details. It’s a reminder of how attackers are getting smarter, using common developer tools in new ways to hide their intentions.