
NimDoor Strikes- DPRK’s Nim‑based macOS Malware Hits Crypto-Web3
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
|
Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials. Analytic 1 - Commands indicating credential searches in Keychain. index=security sourcetype="macos_secure"(event_type="process" AND (command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain") OR command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain"))) |
|||
|
Monitor for Keychain files being accessed that may be related to malicious credential collection. Analytic 1 - Unauthorized access to Keychain files. index=security sourcetype="macos_secure"(event_type="file_open" AND file_path IN ("~/Library/Keychains/", "/Library/Keychains/", "/Network/Library/Keychains/*")) |
|||
|
Monitor for Keychain Services API calls, specifically legacy extensions such as SecKeychainFindInternetPassword, that may collect Keychain data from a system to acquire credentials.[15] Analytic 1 - Suspicious Keychain API calls. index=security sourcetype="macos_secure"(event_type="api_call" AND api IN ("SecKeychainCopySearchList", "SecKeychainFindGenericPassword", "SecKeychainFindInternetPassword", "SecKeychainOpen", "SecKeychainCopyDefault", "SecItemCopyMatching")) |
|||
|
Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d. Analytic 1 - New processes with parameters indicating attempts to manipulate keychains. |
|||
|
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. |
|||
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
|
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor discovery commands in the /var/log/shell.log history file. |
|||
|
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. |
|||
|
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
| ID | Data Source | Data Component | Detects |
|---|