A new macOS malware probably used by North Korean hackers to target crypto exchanges has been found by security firm Jamf. The group behind the malware is thought to be the same group behind the recently reported KandyKorn malware.
In its report on KandyKorn, Kaspersky describes the group as ‘Lazarus’, an overarching term for North Korean hackers. Jamf describes this group as BlueNoroff, a specific group within Lazarus that is “financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms, and banks.”
The new malware is tracked by Jamf as ObjCShellz and is believed to be part of what has been called the RustBucket Campaign. The researchers suspect it is a late stage part of a multi-stage malware attack. “It’s a rather simplistic remote shell,” explains Jaron Bradley, director of Jamf Threat Labs, “but effective.” It allows the attacker to deliver macOS instructions from a C2 server and collect the responses. The malware can do almost everything the user can do on the Mac, but in the background.
Jamf was not able to explore the specific intentions of the attackers with this malware, because the C2 server (located at ‘swissborg[.]blog’) was taken offline as soon as the researchers probed for more information. This is not unusual — attackers often stand down an IP to prevent investigation, only to stand it up at some future date.
However, a possible alternative reason for taking the server offline is that the malware has already succeeded in its task. “Once they have finished the attack,” commented Bradley, “they take the server offline to prevent researchers gaining any extra insight into what is actually going on.”
The address of the C2 server is hardcoded within the malware. The malware could be reused as part of a different spear-phishing attack simply by changing the C2 link to a different lookalike domain name.
A slightly unusual feature is evident in this malware: it logs the victim server’s responses to the malware commands – both successes and failures. “The choice to log these activities is intriguing, as attackers crafting sophisticated malware typically omit any statements that might leave traces,” write the researchers in their report. Put simply, the malware itself has unsophisticated elements, while the suspected attackers are thought to be a sophisticated NK APT group.
Despite this, Jamf is confident that the malware belongs to BlueNoroff. The hardcoded C2 server has long been associated with this group. The URL in the malware that resolves to this IP, registered on May 31, 2023, is effectively typo squatting on the legitimate swissborg[.]com cryptocurrency exchange.
Although Jamf cannot discover the means of infection, the typosquatting suggests a phishing campaign targeting this particular cryptocurrency. This would be typical of the BlueNoroff RustBucket campaign — and the fact the associated IP has a history with BlueNoroff almost confirms the suspicion.
The somewhat simplistic nature of the malware remains a puzzle — sufficient for Jamf to make a point of it in its report. Jamf does not speculate — but the comparatively few known instances of the malware in the wild coupled with the speed with which the C2 server was taken offline when probed by Jamf does open the possibility that this is malware still under development and testing, designed to be part of a future financial services phishing campaign.
Whether this is new malware being developed for a new campaign or not, it demonstrates the determination of the Lazarus/BlueNoroff APT group. “This is a very capable actor,” commented Bradley, “and it’s not slowing down. They’re still bringing out malware that hasn’t been detected before, indicating their arsenal of malware is probably quite widespread beyond what we’ve already seen.”
It’s worth noting that although the C2 server is offline at the time of writing, this malware should not be ignored. Unknown infections could become live if the C2 server is brought back online. At the very least, communication with the 104.168.214[.]151 IP address should be blocked – especially since this address has been used with other BlueNoroff malware.