BlueNorOff, a cybercrime group from North Korea, was found to be using a new, fairly simple yet very functional malware that helps attackers commit financial crimes targeting MacOS, the latest Jamf research has revealed.
Apple's security company, Jamf, provided details on a new malware variant from North Korea previously undetected on VirusTotal.
A Mach-O (executable file format for applications and dynamic libraries on macOS, iOS) universal binary was communicating with a domain that Jamf had previously classified as malicious. It aligned with BlueNorOff’s previous activity.
BlueNorOff, also known as APT38, is believed to be a unit of Lazarus. BlueNorOff’s campaigns are financially motivated, usually targeting crypto exchanges, venture capital firms, and banks. It is responsible for illegal transfers of money via forging orders from SWIFT.
“This seems to be a theme with the latest malware we’ve seen coming from this APT group. Based on previous attacks performed by BlueNorOff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering,” Ferdous Saljooki's research reads.
The executable raised suspicions after it was observed communicating with the malicious domain swissborg[.]blog, which is similar to a legitimate cryptocurrency exchange operating under the domain swissborg.com. Pivoting from one domain, researchers revealed several URLs used for the malware’s communication.
“However, at the time of our analysis, the C2 server did not respond to any of these URLs and went offline shortly after our attempts to communicate,” researchers noted.
Usually, under the disguise of an investor or headhunter, BlueNorOff reaches out to a target, claiming they are interested in partnering with or offering something beneficial. To blend in, the gang often uses malicious domains that look similar to a legitimate crypto company.
The new malware is written in Objective-C programming language, and it operates as a very simple remote shell. It executes commands sent from the attacker server. It is not entirely clear how attackers managed to gain initial access. However, once a presence in a compromised system is achieved, the malware is likely used to run commands in the later stages of attacks.
When the malware is run, it sends a message to a specific hardcoded web address. It uses built-in features to gather information about itself and the computer it’s running on, i.e., the version of macOS. Jamf researchers also demonstrated the communication between the attacker server and the victim system.
Jamf Threat Labs tracks this malware as ObjCShellz and as part of the RustBucket campaign. According to them, “This malware at a glance is very different” compared to the RustBucket malware used in other attacks, “but the attacker’s focus in both cases seems to be providing simple remote shell capability.”
Your email address will not be published. Required fields are markedmarked