Jamf Spots New MacOS Crypto Malware Attributed to North Korea’s Lazarus BlueNoroff Group

BlueNoroff, the notorious hackers’ group with links to North Korea’s Lazarus, has debuted a fresh MacOS malware targeting financial institutions.

Uncovered by researchers from the Apple device management firm – Jamf, the perpetrators have been hiding behind a legitimate-looking cryptocurrency exchange.

According to a detailed report by Jamf published Tuesday, the malicious payload communicates with swissborg[.]blog domain, controlled by the attackers. The actors registered the domain on May 31 and hosted at an IP address, part of BlueNoroff infrastructure.

“The malware splits the command and control (C2) URL into two separate strings that get concatenated together. This is likely an attempt to evade static-based detection,” the report explains.

The news comes days after the infamous Lazarus Group used a new malware dubbed “Kandykorn” to target a crypto exchange. The group apparently deployed the advanced Kandykorn malware through a complex 5-stage process, featuring reflective loading.

BlueNoroff is a threat actor that specifically targets cryptocurrencies and crypto startups, and financial entities such as banks.

Similarities to RustBucket Campaign

Jamf Threat Labs noted that the new malware, discovered at a later-stage, shares similar characteristics with BlueNoroff’s RustBucket campaign.

Identified in April this year, the campaign works to compromise macOS devices. Actors reach targets directly claiming to be an investor or head hunter, offering beneficial partnerships.

BlueNoroff also created a domain for the RustBucket campaign, that looks like it belongs to a legitimate crypto company. The aim was to blend with network activity to evade detection.

The Jamf team used the same method to detect the new malware. The new MacOS crypto-malware has links to several URLs from one domain, used for its communication, Jamf noted.

“The malware is written in Objective-C and operates as a very simple remote shell that executes shell commands sent from the attacker server.”

The perpetrators likely use the malware at a later stage to manually run commands after compromising a system, experts wrote. However, the researchers cleared that this malware at a glance is “very different” from the previously mentioned RustBucket malware.

“But the attacker’s focus in both cases seems to be providing simple remote shell capability,” they added.

Though the malware looks fairly simple it is “still very functional,” helping attackers carry out their objectives, the report said. The Jamf team names the new detection as “ObjCShellz,” considering it as a part of the RustBucket campaign.

“Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering.”