Cybersecurity researchers at Jamf have discovered new macOS malware designed and distributed by North Korean threat actor BlueNoroff.
ObjCShelz appears to execute shell commands sent from the attacker’s server on compromised endpoints.
While Jamf was unable to determine how the malware was distributed, the company says the campaign is “largely aligned” with an earlier campaign called Rustbucket.
Part of Lazarus
“In this campaign, the actor reaches a target claiming to be interested in partnering with or offering something useful under the guise of an investor or headhunter,” the researchers explained. “BlueNoroff often creates a domain that looks like it belongs to a legitimate crypto company to blend in with the network activity.”
Jamf describes BlueNoroff as a “financially motivated hacking group” known for attacking crypto exchanges, financial organizations and banks around the world.
Previous reports also describe the group as a division within the Lazarus Group, a North Korean state-sponsored threat actor blamed for some of the largest crypto heists in history.
Lazarus is reportedly part of the Reconnaissance General Bureau (RGB), North Korea’s main intelligence agency.
The researchers describe ObjCSellz as a “fairly simple” but highly functional malware that gets the job done. “This seems to be a theme with the latest malware we’ve seen from this APT group,” Jamf said.
“Based on previous attacks conducted by BlueNoroff, we suspect this malware was late-stage within a multi-stage malware delivered via social engineering.”
The last time we heard of BlueNoroff was early July of this year, when cybersecurity researchers at Elastic Security Labs found a new version of Rustbucket targeted at macOS endpoints.
The new version was said to be more persistent and harder to detect.
Through: BleepingComputer