January 5, 2024 at 11:15AM
Cybersecurity researchers have identified a new Apple macOS backdoor called SpectralBlur, attributed to North Korean threat actors. It has capabilities such as uploading/downloading files and running shell commands. The malware shares similarities with KANDYKORN, showcasing the growing focus of North Korean threat actors on macOS, particularly in cryptocurrency and blockchain industries.
From the meeting notes dated Jan 05, 2024, the main points are:
1. A new Apple macOS backdoor called SpectralBlur has been discovered, sharing similarities with the KANDYKORN malware attributed to North Korean threat actors.
2. SpectralBlur is capable of various functions such as uploading/downloading files, running a shell, updating configuration, deleting files, and more based on commands from the command-and-control server.
3. KANDYKORN intersects with the Lazarus sub-group, resulting in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.
4. North Korean threat actors are increasingly targeting macOS to infiltrate high-value targets, especially within the cryptocurrency and blockchain industries.
5. SpectralBlur was uploaded from Colombia and shares functional similarities with KANDYKORN, raising the possibility that they may have been built by different developers.
6. The malware attempts to hinder analysis and evade detection by using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.
7. A total of 21 new malware families designed to target macOS systems were discovered in 2023, up from 13 identified in 2022.
8. There is an expectation of continued growth and popularity of macOS in 2024, leading to an increase in macOS malware.
These are the main takeaways from the meeting notes on Newsroom Endpoint Security and Malware dated Jan 05, 2024.