The North Korea-based BlueNoroff APT group has been linked with a new malware strain that is being used to target macOS systems. Dubbed ObjCShellz, the malware shares similarities with the RustBucket malware campaign, which came to light earlier this year.
Diving in details
- Jamf Threat Labs first came across the malware while investigating a Mach-O universal binary executable that was communicating with a malicious domain swissborg[.]blog.
- The malicious domain was hosted on a specific IP address, which was previously used by BlueNoroff threat actors to host various other domains.
- As the name suggests, the malware is written in Objective-C and operates as a very simple remote shell that executes shell commands on compromised systems. These commands are sent from the C2 server operated by attackers.
- The exact initial access vector for the attack is not known, however, it’s suspected that the malware is delivered as a post-exploitation payload via social engineering.
While the researchers are yet to determine the victims of the ObjCShellz attacks, the choice of domain used suggests that threat actors targeted an entity or individual with an interest in the cryptocurrency exchange sector.
Concerning factor
The development comes as North Korea-sponsored groups like Lazarus are evolving their tactics and toolsets to expand their attacks on macOS systems. Recently, the Lazarus group launched a macOS malware named KANDYKORN to target blockchain engineers in an unnamed cryptocurrency exchange platform.
Moreover, a report shared by SentinelOne researchers revealed that 2023 has been witnessing threat actors adapting new approaches to compromise Macs, which increases risk for macOS users. In one instance, a malware named MetaStealer was delivered via social engineering to target macOS businesses.
Conclusion
ObjCShellz is the latest malware that has emerged in the landscape to target macOS systems. Jamf Threat Labs continues to track the malware and its association with the RustBucket campaign.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5c1b_shutterstock_1439959244.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e051_shutterstock_1746259250.jpg)
