November 7, 2023 at 03:36PM
The BlueNorOff threat group, backed by North Korea, has targeted Apple customers with new macOS malware called ObjCShellz. This malware allows the group to open remote shells on compromised devices. BlueNorOff is known for financially motivated attacks on cryptocurrency exchanges and financial organizations worldwide. The malware communicates with a domain that mimics a legitimate cryptocurrency exchange website to evade detection. ObjCShellz is an Objective-C-based malware designed to execute commands on compromised macOS systems. BlueNorOff has previously been linked to attacks on cryptocurrency startups, and the group has been sanctioned by the U.S. Treasury for funneling stolen assets to the North Korean government. Lazarus Group and BlueNorOff hackers were also responsible for the largest crypto hack on Axie Infinity’s Ronin network bridge, resulting in the theft of millions of dollars worth of tokens.
Key Takeaways from the Meeting Notes:
– The BlueNorOff threat group, backed by North Korea, has targeted Apple customers with new macOS malware called ObjCShellz. This malware allows for the opening of remote shells on compromised devices.
– BlueNorOff is primarily a financially motivated hacking group that focuses on attacking cryptocurrency exchanges and financial organizations globally, including venture capital firms and banks.
– Malware analysts from Jamf have observed a malicious payload, named ProcessRequest, associated with BlueNorOff. It communicates with an attacker-controlled domain called swissborg[.]blog, which was registered on May 31 and hosted at the IP address 104.168.214[.]151, which is part of BlueNorOff’s infrastructure.
– The command-and-control domain used by BlueNorOff mimics a legitimate cryptocurrency exchange’s website (swissborg.com/blog) and employs techniques to evade static-based detection.
– The use of the swissborg[.]blog domain aligns with BlueNorOff’s previous activities in the Rustbucket campaign, where they pose as investors or headhunters to potential targets and create domains resembling legitimate crypto companies.
– ObjCShellz, the malware used by BlueNorOff, is an Objective-C-based malware specifically designed to open remote shells on compromised macOS systems. It is deployed during the post-exploitation stage and allows the execution of commands on infected Intel and Arm Macs.
– BlueNorOff’s malware campaigns often employ multi-stage delivery methods using social engineering as an initial access vector.
– Previous reports have linked BlueNorOff to a series of attacks targeting cryptocurrency startups worldwide, including countries like the U.S., Russia, China, India, the U.K., Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.
– In 2019, the U.S. Treasury imposed sanctions on BlueNorOff, Lazarus Group, and Andariel, three North Korean hacking groups, for their involvement in stealing financial assets and funneling them to the North Korean government.
– The United Nations reported four years ago that North Korean state hackers had already stolen approximately $2 billion through 35 cyberattacks targeting banks and cryptocurrency exchanges across multiple countries.
– The FBI has attributed the largest crypto hack ever, involving the Axie Infinity’s Ronin network bridge, to Lazarus and BlueNorOff hackers. They stole 173,600 Ethereum and 25.5M USDC tokens worth over $617 million at the time.