Jamf, in its recent discovery, identified a previously undetected North Korean malware variant.
Jamf, Apple’s security company, disclosed a new variant of malware from North Korea that previously evaded detection on VirusTotal. The malware, in the form of a Mach-O universal binary file, communicated with a domain that Jamf had previously identified as malicious. This activity closely mirrored the previous operations of BlueNorOff, a group associated with Lazarus. BlueNorOff typically targets crypto exchanges, venture capital firms, and banks for financially motivated campaigns that involve illegal money transfers via forged SWIFT orders.
Ferdous Saljooki’s research indicates that this new malware shares characteristics with past BlueNorOff attacks, likely representing a later stage of multi-stage malware, possibly distributed through social engineering. Suspicions arose when the executable communicated with a domain, swissborg[.]blog, resembling the legitimate cryptocurrency exchange domain, swissborg.com. Further investigation by researchers uncovered multiple URLs used for the malware’s communication.
Despite attempts, the Command and Control (C2) server did not respond to these URLs during the analysis and eventually went offline. BlueNorOff often masquerades as an investor or headhunter when targeting victims, utilizing deceptive domains that resemble legitimate crypto companies to blend in.
The new malware, coded in Objective-C, operates as a simple remote shell, executing commands from the attacker’s server. The initial method used by attackers to gain access remains unclear. However, once inside a compromised system, the malware is likely used to execute commands in the later stages of an attack. Upon execution, the malware dispatches a message to a predetermined web address, gathering data about itself and the host system, such as the macOS version. Jamf researchers illustrated the communication between the attacker’s server and the victim’s system.
Identified as ObjCShellz and part of the RustBucket campaign by Jamf Threat Labs, this malware, despite its visual differences, appears to aim at providing basic remote shell capabilities, similar to the RustBucket malware used in previous attacks.
Story credit
Related story:
