DPRK DriverEasy & ChromeUpdate Deep Dive
2025-02-19 • Kandji •
Kandji analyzes DriverEasy.app, a Swift and Objective-C macOS application attributed in the source to North Korea’s Contagious Interview activity. The app masquerades as a Google Chrome or Google-related prompt, asks for microphone permission, then displays an authentication dialog that captures the user’s password through an NSSecureTextField. After collecting the password, the malware uses Dropbox APIs to upload it, matching behavior seen in related ChromeUpdate and CameraAccess samples. The analysis highlights reusable Swift string handling, prompt construction, ad hoc signing, and shared social-engineering tradecraft in DPRK-linked macOS interview-lure malware.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.ipify.org | 2019-12-11 | 2026-03-17 |
| URL | https://content.dropboxapi.com/… | 2018-09-21 | 2025-09-03 |
| URL | https://api.ipify.org | 2025-02-03 | 2025-08-28 |
| HASH | b72653bf747b962c67a5999afbc1d91… | 2025-01-05 | 2025-08-25 |
| HASH | e1bdb6a878dc5a81a74f7178259571d… | 2025-02-19 | 2025-02-19 |
| HASH | 8df4d196cea4b10fe5b3e3086a9b0e3… | 2025-02-19 | 2025-02-19 |
| HASH | 3c4becde20e618efb209f97581e9ab6… | 2025-02-04 | 2025-02-19 |