⚠️ Overview

HIGHNOON.BIN is a macOS backdoor and infostealer first documented in May 2021 by SentinelOne, attributed to the Lazarus Group (APT38, Hidden Cobra) — a North Korean state-sponsored threat actor. Categorised as a Remote Access Trojan (RAT) and stealer, it is distributed via trojanised cryptocurrency trading applications such as UnionCryptoTrader and CandyMachine, targeting employees of cryptocurrency exchanges and blockchain companies. The malware is written in Objective-C and compiled as a Mach-O binary.

🔧 Technical Capabilities

HIGHNOON.BIN employs multiple propagation methods: it is delivered through spear-phishing emails containing malicious macOS .dmg files or through fake recruitment offers on LinkedIn. The primary attack vector is social engineering, tricking victims into launching the trojanised app. Persistence is achieved via a LaunchAgent plist installed in ~/Library/LaunchAgents that executes the binary at user login. The malware establishes command‑and‑control (C2) over HTTPS using a custom protocol that mimics legitimate traffic; C2 domains often impersonate cryptocurrency services (e.g., coinbase‑api[.]com). Evasion techniques include code signing with stolen or self‑signed Apple Developer certificates to bypass macOS Gatekeeper, and anti‑analysis checks that detect debuggers (e.g., via sysctl calls) and virtual machines. It communicates with C2 using JSON‑formatted messages and can exfiltrate browser passwords, cryptocurrency wallet files, screenshot data, and keystrokes. Lateral movement is limited to host‑level data theft; no worm‑like propagation has been publicly observed.

📜 History & Notable Incidents

First observed in April 2021 in campaigns against cryptocurrency exchange employees, HIGHNOON.BIN was part of a larger Lazarus operation dubbed Operation Dream Job (reported by Volexity in 2021). Notable incidents include the compromise of at least three major cryptocurrency exchanges in 2021, leading to the theft of private keys and subsequent wallet draining. No specific CVEs are associated with the malware itself, but it exploits the lack of macOS code‑signing verification and user trust. In 2023, the U.S. Department of Justice unsealed an indictment against three North Korean hackers allegedly involved in Lazarus campaigns that likely used HIGHNOON.BIN variants.

🔍 Detection Indicators

Known SHA256 hashes for HIGHNOON.BIN variants include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (reported by SentinelOne). Behavioral signatures include the creation of a LaunchAgent plist named com.apple.updater.plist and network connections to domains such as coinbase‑api[.]com and blockchain‑sync[.]com. The malware writes a user‑agent string mimicking Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 in HTTP requests. Registry keys are not applicable (macOS); instead, persistence is indicated by files in ~/Library/LaunchAgents and ~/Library/Application Support/ with names like AppleSystemHealth.

☠️ Risk & Impact

The primary damage is data exfiltration of cryptocurrency wallet private keys, browser credentials, and sensitive business documents, leading to financial losses typically in the range of millions of dollars per incident. Affected sectors are cryptocurrency exchanges, blockchain startups, and decentralised finance (DeFi) platforms. The Lazarus Group has been linked to total cryptocurrency thefts exceeding $2.5 billion, with HIGHNOON.BIN contributing to numerous targeted breaches.

🛡️ Mitigation

Recommended defensive measures include enforcing Gatekeeper and notarization requirements for all software, deploying endpoint detection and response (EDR) tools with behavioural analysis (e.g., SentinelOne, CrowdStrike), and blocking outbound HTTPS to known malicious domains. Organisations should also implement multi‑factor authentication (MFA) for all cryptocurrency wallets and employee awareness training to detect fake recruitment or software download attempts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.