The North Korean-backed BlueNorOff threat group targets Apple customers with new macOS malware tracked as ObjCShellz that can open remote shells on compromised devices.
BlueNorOff is a financially motivated hacking group known for attacking cryptocurrency exchanges and financial organizations such as venture capital firms and banks worldwide.
The malicious payload observed by Jamf malware analysts (labeled ProcessRequest) communicates with the swissborg[.]blog, an attacker-controlled domain registered on May 31 and hosted at 104.168.214[.]151 (an IP address part of BlueNorOff infrastructure).
This command-and-control (C2) domain mimics the websites of a legitimate cryptocurrency exchange available at swissborg.com/blog. All data transferred to the server is split into two strings and stitched together on the other end to evade static-based detection.
“The usage of this domain greatly aligns with the activity we’ve seen from BlueNorOff in what Jamf Threat Labs tracks as the Rustbucket campaign,” the security researchers said.
“In this campaign, the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the guise of an investor or head hunter. BlueNorOff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity.”
Backdoored Macs
ObjCShellz is an Objective-C-based malware, quite different from other malicious payloads deployed in previous BlueNorOff attacks. It is also designed to open remote shells on compromised macOS systems after being dropped using an unknown initial access vector.
The attackers used it during the post-exploitation stage to execute commands on infected Intel and Arm Macs.
“Although fairly simple, this malware is still very functional and will help attackers carry out their objectives. This seems to be a theme with the latest malware we’ve seen coming from this APT group,” Jamf said.
“Based on previous attacks performed by BlueNorOff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering.”
Last year, Kaspersky linked the BlueNorOff hackers to a long string of attacks targeting cryptocurrency startups around the world, including in the U.S., Russia, China, India, the U.K., Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.
In 2019, the U.S. Treasury sanctioned BlueNorOff and two other North Korean hacking groups (Lazarus Group and Andariel) for funneling stolen financial assets to the North Korean government.
North Korean state hackers had already stolen an estimated $2 billion in at least 35 cyberattacks targeting banks and cryptocurrency exchanges across more than a dozen countries, according to a United Nations report from four years ago.
FBI also attributed the largest crypto hack ever, the hack of Axie Infinity’s Ronin network bridge, to Lazarus and BlueNorOff hackers, who stole 173,600 Ethereum and 25.5M USDC tokens worth over $617 million at the time.