Connect with us

Hi, what are you looking for?


Malware & Threats

New MacOS Malware Linked to North Korean Hackers

New macOS malware, tracked by Jamf as ObjCShellz, is likely being used by North Korean hackers to target crypto exchanges

ObjCShellz - macOS malware

A new macOS malware probably used by North Korean hackers to target crypto exchanges has been found by security firm Jamf. The group behind the malware is thought to be the same group behind the recently reported KandyKorn malware. 

In its report on KandyKorn, Kaspersky describes the group as ‘Lazarus’, an overarching term for North Korean hackers. Jamf describes this group as BlueNoroff, a specific group within Lazarus that is “financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms, and banks.”

The new malware is tracked by Jamf as ObjCShellz and is believed to be part of what has been called the RustBucket Campaign. The researchers suspect it is a late stage part of a multi-stage malware attack. “It’s a rather simplistic remote shell,” explains Jaron Bradley, director of Jamf Threat Labs, “but effective.” It allows the attacker to deliver macOS instructions from a C2 server and collect the responses. The malware can do almost everything the user can do on the Mac, but in the background.

Jamf was not able to explore the specific intentions of the attackers with this malware, because the C2 server (located at ‘swissborg[.]blog’) was taken offline as soon as the researchers probed for more information. This is not unusual — attackers often stand down an IP to prevent investigation, only to stand it up at some future date. 

However, a possible alternative reason for taking the server offline is that the malware has already succeeded in its task. “Once they have finished the attack,” commented Bradley, “they take the server offline to prevent researchers gaining any extra insight into what is actually going on.”

The address of the C2 server is hardcoded within the malware. The malware could be reused as part of a different spear-phishing attack simply by changing the C2 link to a different lookalike domain name.

A slightly unusual feature is evident in this malware: it logs the victim server’s responses to the malware commands – both successes and failures. “The choice to log these activities is intriguing, as attackers crafting sophisticated malware typically omit any statements that might leave traces,” write the researchers in their report. Put simply, the malware itself has unsophisticated elements, while the suspected attackers are thought to be a sophisticated NK APT group. 

Despite this, Jamf is confident that the malware belongs to BlueNoroff. The hardcoded C2 server has long been associated with this group. The URL in the malware that resolves to this IP, registered on May 31, 2023, is effectively typo squatting on the legitimate swissborg[.]com cryptocurrency exchange.

Advertisement. Scroll to continue reading.

Although Jamf cannot discover the means of infection, the typosquatting suggests a phishing campaign targeting this particular cryptocurrency. This would be typical of the BlueNoroff RustBucket campaign — and the fact the associated IP has a history with BlueNoroff almost confirms the suspicion.

The somewhat simplistic nature of the malware remains a puzzle — sufficient for Jamf to make a point of it in its report. Jamf does not speculate — but the comparatively few known instances of the malware in the wild coupled with the speed with which the C2 server was taken offline when probed by Jamf does open the possibility that this is malware still under development and testing, designed to be part of a future financial services phishing campaign.

Whether this is new malware being developed for a new campaign or not, it demonstrates the determination of the Lazarus/BlueNoroff APT group. “This is a very capable actor,” commented Bradley, “and it’s not slowing down. They’re still bringing out malware that hasn’t been detected before, indicating their arsenal of malware is probably quite widespread beyond what we’ve already seen.”

It’s worth noting that although the C2 server is offline at the time of writing, this malware should not be ignored. Unknown infections could become live if the C2 server is brought back online. At the very least, communication with the 104.168.214[.]151 IP address should be blocked – especially since this address has been used with other BlueNoroff malware.

Related: North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains

Related: North Korean APT Expands Its Attack Repertoire

Related: US Offers $10 Million for Information on North Korean Hackers

Related: North Korean Hackers Are Back at Targeting Banks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...