The infamous hacking group known as BlueNoroff, which has connections to North Korea’s Lazarus, has introduced a new MacOS malware designed to target financial institutions.
This discovery was made by researchers at Jamf, a company specializing in Apple device management. The cybercriminals responsible for this attack have been concealing their activities behind the facade of a seemingly legitimate cryptocurrency exchange.
As detailed in a report published by Jamf on a Tuesday, the malicious payload communicates with a domain called swissborg[.]blog, which is under the control of the attackers. The individuals behind this attack registered the domain on May 31 and hosted it on an IP address that is part of the infrastructure associated with BlueNoroff.
According to the report, the malware employs a technique where it divides the command and control (C2) URL into two separate strings, which are then combined. This tactic appears to be an effort to avoid detection methods that rely on static analysis.
This development follows closely on the heels of the notorious Lazarus Group’s deployment of a new malware referred to as “Kandykorn” to target a cryptocurrency exchange. The Lazarus Group utilized a complex 5-stage process, including reflective loading, to deploy the advanced Kandykorn malware.
BlueNoroff, as a threat actor, has a specific focus on targeting cryptocurrencies, crypto startups, and financial institutions such as banks.
Similarities to RustBucket Campaign
Jamf Threat Labs has observed that the recently discovered malware, detected in a later stage, exhibits similarities to BlueNoroff’s RustBucket campaign. This campaign, identified in April of this year, is aimed at compromising macOS devices. The attackers approach their targets by posing as investors or headhunters, offering enticing partnership opportunities.
In the RustBucket campaign, BlueNoroff established a domain that mimicked the appearance of a legitimate cryptocurrency company. The intention behind this was to blend in with network activity and avoid detection. The Jamf research team used a similar methodology to uncover the new malware.
This new MacOS cryptocurrency malware has connections to various URLs within a single domain, which it uses for communication, as highlighted by Jamf. The malware is written in Objective-C and functions as a basic remote shell that executes shell commands sent from the attacker’s server.
It appears that the perpetrators of this malware likely use it in a later stage to manually execute commands after successfully compromising a system, according to experts. However, it’s important to note that this new malware is described as “very different” from the previously mentioned RustBucket malware.
Nonetheless, the experts point out that the attacker’s primary objective in both cases seems to be providing a basic remote shell capability.
Although the malware may appear relatively simple, it remains highly functional, assisting attackers in achieving their goals, as outlined in the report. The Jamf research team has given this new detection the name “ObjCShellz,” considering it as part of the RustBucket campaign.
They suspect that, based on previous attacks conducted by BlueNoroff, this malware represents a later stage within a multi-stage malware delivery process, likely involving social engineering tactics.