BlueNorOff, Linked to North Korea, Targets Apple Customers with New ObjCShellz macOS Malware

by | Nov 8, 2023 | News

Post Views: 174

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

BlueNorOff, a hacking group backed by North Korea, is making headlines for targeting Apple customers with a new macOS malware known as ObjCShellz. This malware, programmed in Objective-C, serves as a remote shell that allows attackers to gain control over compromised devices. BlueNorOff is a financially motivated threat group with a reputation for attacking various targets, including cryptocurrency exchanges, venture capital firms, banks, and financial organizations across the globe. They’ve earned notoriety for their aggressive campaigns.

New Malware: ObjCShellz

The ObjCShellz malware is a departure from previous BlueNorOff attacks, marked by its use of Objective-C and its function as a remote shell opener on macOS systems. It differs from previous payloads in its execution method and capabilities.

Command and Control Domain

Security researchers discovered that the malicious payload, labeled ProcessRequest, communicates with a domain named swissborg[.]blog. This domain, registered on May 31, is hosted at the IP address 104.168.214[.]151, which is part of BlueNorOff’s infrastructure. The choice of this domain is particularly notable as it mimics the legitimate cryptocurrency exchange website, swissborg.com/blog, blending in with the network activity.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Rustbucket Campaign

This aligns with BlueNorOff’s known modus operandi, particularly in its Rustbucket campaign. In this campaign, BlueNorOff often reaches out to potential targets, disguising themselves as investors or headhunters. To blend in with network activity, they create domains that closely resemble those of legitimate cryptocurrency companies.

ObjCShellz and Its Purpose

The malware ObjCShellz is primarily utilized in the post-exploitation phase, enabling attackers to execute commands on compromised macOS devices. Though relatively simple, it provides the functionality needed to carry out their objectives effectively. It is suspected that this malware is a late-stage component delivered through a multi-stage malware campaign, typically initiated through social engineering or other vectors.

BlueNorOff has been linked to numerous attacks on cryptocurrency startups across the globe. They have targeted organizations in the United States, Russia, China, India, the U.K., Ukraine, Poland, the Czech Republic, the UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong. Their attacks on cryptocurrency exchanges and banks have raised significant concerns, with estimates suggesting they have stolen billions of dollars in assets.

Sanctions and Attributions

The U.S. Treasury has previously sanctioned BlueNorOff, along with two other North Korean hacking groups, Lazarus Group and Andariel, for their involvement in funneling stolen financial assets to the North Korean government. The United Nations has reported that North Korean state hackers have stolen substantial sums of money in cyberattacks on banks and cryptocurrency exchanges across numerous countries.

Cryptocurrency Heists and the Notorious Axie Infinity Hack

BlueNorOff was also implicated in the theft of 173,600 Ethereum and 25.5 million USDC tokens (worth over $617 million at the time) in what became the largest crypto hack ever, affecting Axie Infinity’s Ronin network bridge.

The attacks attributed to BlueNorOff highlight the ongoing and evolving threat posed by state-backed hacking groups in the world of cryptocurrency and financial institutions. Vigilance and robust cybersecurity measures are essential in the face of these persistent threats.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link