Malware, Endpoint/Device Security, Threat Intelligence

North Korea-linked BlueNoroff’s macOS malware variant targets financial firms

Laptop with binary computer code and Korean flag on the screen.

A new macOS malware variant attributed to BlueNoroff, a subgroup of the North Korean-backed Lazarus Group, has been observed targeting cryptocurrency exchanges, venture capital firms and banks.

In a blog post Nov. 7, Jamf Threat Labs said they suspect the malware was in a late stage within a multi-stage malware delivered via social engineering. The Jamf researchers track this malware as “ObjCShellz” and connect it to the RustBucket campaign. First uncovered in 2021, RustBucket uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems.

Jaron Bradley, director at Jamf Threat Labs, explained what’s different about this campaign lies in how targeted the threat actors have made it. Bradley said unlike some malware campaigns where a social engineering attempt may get performed on a large number of individuals at a company, these actors are targeting specific users they suspect hold access to cryptocurrency.

“The dangers associated with this campaign are significant, as it lets attackers pass remote commands to a system and carry out those commands in the background, potentially even allowing a more dangerous payload to be delivered to the system at some point,” said Bradley. “To prevent this malware, do not fall victim to the assumption that Mac’s are inherently safe from malware attacks. Train users on what social engineering looks like and encourage users to remain vigilant.”

The discovery of the new malware strain by Jamf Threat Labs shows that BlueNoroff is continuing to develop new and sophisticated malware, said Ngoc Bui, cybersecurity expert at Menlo Security. Bui said the fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff took steps to evade detection.

“For North Korea, this is a big deal if you have been following the different APTs and activities from that country,” said Bui. “This new malware strain discovered is dangerous for macOS users because it’s disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

John Gallagher, vice president of Viakoo Labs, added that the danger with multi-stage malware, or even more with polymorphic code that changes itself, is that it’s best stopped at the point of entry. 

Gallagher said as was found here, no one knows how initial access was made, so that’s why all digitally connected assets — especially IoT/OT systems managed outside of IT — should have a security plan and agreed upon cyber hygiene process for them, as well as organization-wide training on social-engineering threats.

“Threat actor groups like BlueNoroff and the Lazarus Group will continue to use and further develop new threats based on RustBucket until better defenses are available against it or other multi-stage malware,” said Gallagher. “It’s not because they might both be tied to North Korea, but more the success that RustBucket has had in getting to the money.” 

Anurag Gurtu, chief product officer at StrikeReady, said what’s significant here is the expansion of BlueNoroff's toolkit to target macOS users, revealing that even less-frequently targeted systems are at risk, particularly as macOS gains popularity in business environments.

“This also underscores the persistent nature of state-sponsored hacking groups and their evolving tactics,” said Gurtu. “For macOS users, this campaign represents a significant security threat because it challenges the perception that macOS is less susceptible to malware. It also indicates that attackers are willing to invest resources to develop malware for platforms that are gaining market share in certain sectors.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.