N. Korea's BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware
9.11.23 Apple The Hacker News
The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz.
Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year.
"Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News.
BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group that specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime.
The development arrives days after Elastic Security Labs disclosed the Lazarus Group's use of a new macOS malware called KANDYKORN to target blockchain engineers.
Also linked to the threat actor is a macOS malware referred to as RustBucket, an AppleScript-based backdoor that's designed to retrieve a second-stage payload from an attacker-controlled server.
In these attacks, prospective targets are lured under the pretext of offering them investment advice or a job, only to kick-start the infection chain by means of a decoy document.
ObjCShellz, as the name suggests, is written in Objective-C that functions as a "very simple remote shell that executes shell commands sent from the attacker server."
"We don't have details of who it was officially used against," Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. "But given attacks that we've seen this year, and the name of the domain that the attackers created, it was likely used against a company that works in the crypto currency industry or works closely with it."
The exact initial access vector for the attack is currently not known, although it's suspected that the malware is delivered as a post-exploitation payload to manually run commands on the hacked machine.
"Although fairly simple, this malware is still very functional and will help attackers carry out their objectives," Saljooki said.
The disclosure also comes as North Korea-sponsored groups like Lazarus are evolving and reorganizing to share tools and tactics among each other, blurring the boundaries, even as they continue to build bespoke malware for Linux and macOS.
"It is believed the actors behind [the 3CX and JumpCloud] campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable," SentinelOne security researcher Phil Stokes said last month.
North Korea's hacking spree has also prompted the U.S., South Korea, and Japan to join hands and establish a trilateral high-level cyber consultative group, primarily to combat "cyber activities that are abused as a major source of funding for North Korea's weapons development."