November 7, 2023 at 09:24AM
The BlueNoroff nation-state group, which has connections to North Korea, is behind a newly discovered macOS malware called ObjCShellz. It is used as part of the RustBucket malware campaign and is suspected to be delivered through social engineering. BlueNoroff is a sub-group of the Lazarus Group, known for financial crimes against banks and cryptocurrencies. This disclosure coincides with the Lazarus Group’s use of another macOS malware called KANDYKORN. The group is also developing and sharing toolsets, suggesting more macOS malware campaigns are on the horizon.
Key Takeaways from Meeting Notes:
– BlueNoroff, a North Korea-linked nation-state group, has been connected to a new macOS malware strain called ObjCShellz.
– ObjCShellz is used as part of the RustBucket malware campaign revealed earlier this year.
– BlueNoroff, also known as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, specializes in financial crime and targets banks and the crypto sector.
– The Lazarus Group, to which BlueNoroff is linked, is using a new macOS malware called KANDYKORN to target blockchain engineers.
– RustBucket, an AppleScript-based backdoor, is also associated with the threat actor.
– Attacks by BlueNoroff and Lazarus are initiated through decoy documents that lure prospective targets under the guise of investment advice or job opportunities.
– ObjCShellz is an Objective-C-based remote shell that allows attackers to execute shell commands from their server.
– The initial access vector for the attack is unknown, but it is believed to be delivered as a payload after the machine has been compromised.
– North Korea-sponsored groups like Lazarus are evolving and sharing tools and tactics, making it harder to distinguish their activities and suggesting further macOS malware campaigns in the future.
Follow us on Twitter and LinkedIn for more exclusive content.