November 7, 2023 at 09:48AM
North Korean state-sponsored hackers have been observed using a new macOS malware called “ObjCShellz” as part of the RustBucket campaign targeting financial organizations. The malware, attributed to the BlueNoroff group, is written in Objective-C and allows attackers remote shell capabilities. The campaign uses social engineering and disguises itself as a PDF viewer app to deliver the malware. The motivation for targeting macOS users is due to the popularity of cryptocurrency and the increased use of Macs for crypto-related work.
According to meeting notes, a new macOS malware strain called “ObjCShellz” has been discovered. It is believed to be part of the RustBucket campaign, which targets organizations in the financial services sector. The malware is written in Objective-C and its main purpose is to offer attackers remote shell capabilities. The group behind the malware, BlueNoroff (also known as APT38 or TA444), is believed to be a finance-focused sub-group of North Korea’s Lazarus offensive cyber operation. Attribution of the group to the RustBucket malware family was made by several cybersecurity companies. The RustBucket campaign uses a multi-stage approach to deliver malware and constantly develops new strains to make analysis more difficult. The goal of the attackers appears to be targeting users who hold cryptocurrency and are working on crypto-related projects, many of whom could be using Macs. The RustBucket malware family employs social engineering techniques to get the attack started, masquerading as PDF viewer apps. The second stage of the attack is an application that functions as a legitimate PDF viewer app but is only unlocked when used to open a malicious PDF. This triggers the establishment of the attackers’ command-and-control infrastructure for downloading additional payloads. SentinelOne’s analysis suggests there are at least three stages in the attack chain, with the latest payload having persistence capabilities.