A new malware variant has been discovered targeting Apple's macOS devices, experts warn.
A report from Greg Lesnewich, Senior Threat Researcher at Proofpoint, who described the malware in more detail in a technical article here, notes the malware is called SpectralBlur and is a “moderately capable” piece of code. It can upload, download or delete files, execute shell commands, and sleep and hibernate, he further explained.
Apparently it is designed and distributed by a subgroup of Lazarus, a notorious North Korean state-sponsored threat actor.
On the hunt for cryptocurrencies
Lesnewich made the connection via KANDYKORN (AKA SockRacket), another piece of malware previously identified as belonging to BlueNoroff. This group, also followed by some researchers as TA444, is known as a division of Lazarus. KANDYKORN is described as a remote access trojan used to take over a compromised endpoint.
The findings led the researcher to conclude that the North Koreans are increasing their attacks on macOS devices to compromise high-value targets. They are especially interested in devices from people in the cryptocurrency and blockchain industries.
“TA444 continues to work fast and furious with these new macOS malware families,” said Lesnewich.
Lazarus is known for targeting crypto companies, usually so-called 'bridge' projects. Each cryptocurrency has its own blockchain, and in order for multiple blockchains to communicate with each other, developers began building “bridges.” While these bridges are typically monitored by third-party security firms and independent code reviewers, they are often released with serious flaws, allowing threat actors to siphon off eye-watering amounts of money.
For example, on March 29, 2022, it was announced that Lazarus Group had successfully exploited a flaw in the Ronin network and stole 173,600 Ether (ETH) and 25.5 million USD coins from the Ronin cross-chain bridge. The total value of the stolen assets at the time was approximately $600 million, making it the second largest crypto heist of all time, just behind the 2021 Poly Network attack.
Through The HackerNews