November 7, 2023 at 10:03AM
Security firm Jamf has discovered a new macOS malware called ObjCShellz that is believed to be used by North Korean hackers to target cryptocurrency exchanges. The malware, tracked as part of the RustBucket Campaign, allows attackers to deliver macOS instructions and collect responses while remaining undetected. Although the purpose of the malware is unclear, Jamf suspects it may be part of a future financial services phishing campaign. Jamf has associated the malware with the BlueNoroff group, a specific subset of the larger Lazarus group of North Korean hackers.
Key takeaways from the meeting notes:
1. A new macOS malware, named ObjCShellz, has been discovered by security firm Jamf. It is believed to be used by the North Korean hacking group, BlueNoroff, which is part of the Lazarus group.
2. The malware is suspected to be part of the RustBucket Campaign and is a late-stage component of a multi-stage attack.
3. ObjCShellz is a remote shell that allows attackers to deliver instructions and collect responses from affected Macs.
4. The C2 server associated with the malware was taken offline, possibly to prevent further investigation or because its objectives had already been achieved.
5. The malware logs the victim server’s responses, which is unusual for sophisticated attackers.
6. Typosquatting on a cryptocurrency exchange suggests that the malware may have been used in a phishing campaign targeting a specific cryptocurrency.
7. Although the malware appears simplistic, its limited instances in the wild and the quick response to probing by Jamf indicate that it may still be under development.
8. The Lazarus/BlueNoroff APT group is known for developing and deploying sophisticated malware, and their capabilities continue to evolve.
9. While the C2 server is currently offline, potential infections may become active if the server is brought back online.
10. Communication with the IP address associated with the C2 server, 104.168.214[.]151, should be blocked as it has been linked to other BlueNoroff malware.
11. The North Korean hacking group has previously targeted banks, venture capital firms, and now crypto exchanges.
Related articles:
– North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains
– North Korean APT Expands Its Attack Repertoire
– US Offers $10 Million for Information on North Korean Hackers
– North Korean Hackers Are Back at Targeting Banks