Unmasking BlueNoroff: New macOS Malware ObjCShellz Linked to North Korean Threat Actor
The recently uncovered macOS malware strain, named ObjCShellz, has been linked to the nation-state group known as BlueNoroff, which has ties to North Korea. This malicious software is a part of the RustBucket malware campaign, which was brought to public attention earlier this year by Jamf Threat Labs.
As per the findings shared with The Hacker News by security researcher Ferdous Saljooki, it is suspected that this malware is typically deployed as the final stage of a multi-stage attack, often initiated through social engineering techniques. BlueNoroff, which also goes by various aliases such as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, operates as a subordinate entity under the notorious Lazarus Group. This group specializes in financial cybercrime, with a focus on targeting banks and the cryptocurrency sector to bypass sanctions and generate illegal profits for the regime.
This revelation follows Elastic Security Labs’ disclosure of the Lazarus Group’s use of a new macOS malware called KANDYKORN, which was employed to target blockchain engineers. RustBucket, another macOS malware linked to this threat actor, is an AppleScript-based backdoor designed to retrieve a second-stage payload from a server controlled by the attacker.
In these attacks, potential victims are enticed with offers of investment advice or job opportunities, only to unknowingly kick-start the infection process through a deceptive document. ObjCShellz, as implied by its name, is coded in Objective-C and serves as a straightforward remote shell for executing shell commands sent from the attacker’s server.
The precise initial access method for these attacks remains unknown, but it is suspected that the malware is delivered as a post-exploitation payload to manually run commands on the compromised machine. Despite its simplicity, this malware remains highly functional and aids attackers in accomplishing their objectives.
This disclosure is noteworthy as North Korea-sponsored groups like Lazarus are evolving and reorganizing to share tools and tactics among themselves, blurring the lines between their operations, while also continuing to develop customized malware for both Linux and macOS. SentinelOne security researcher Phil Stokes pointed out that it is believed that the actors behind the 3CX and JumpCloud campaigns are actively developing and sharing various toolsets, making it likely that more macOS malware campaigns will emerge in the future.
Happy Hunting!
— threathuntress
