- BlueNoroff saw crypto companies focusing on a new piece of malware
- The malware ensures persistence and opens a backdoor
- It can download additional payloads, run Shell commands and more
Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.
Cybersecurity researchers SentinelLabs sounded the alarm about the new campaign, noting that BlueNoroff is a subgroup of Lazarus, a notorious North Korean organization that mainly targets cryptocurrency companies and individuals in the West. It is attributed to some of the largest crypto heists in history.
Typically, the group would “groom” their victims on social media before deploying malware. However, in this campaign they have opted for a more direct approach.
Hidden risk
As SentinelLabs explains, BlueNoroff targets its victims, mainly crypto companies, with a phishing email seemingly forwarded by a crypto influencer.
The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes display a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.
The name is taken from an actual academic paper from the University of Texas, the researchers added. The entire campaign is therefore called ‘Hidden Risk’.
The malware comes in multiple stages. The first phase is a dropper app, signed with a valid Apple Developer ID, which has since been revoked. This dropper downloads a decoy PDF file that should keep the victim busy while the second stage payload is deployed in the background.
This payload is called ‘growth’ and aims to establish persistence and open a backdoor for the infected device. It only works on macOS devices running on Intel or Apple silicon, using the Rosetta emulation framework. The final phase is to check in with the C2 server every minute for new commands, including downloading and executing additional payloads, executing shell commands, or terminating the process.
The campaign has been active for at least a year, the researchers said.
Via BleepingComputer