North Korea's BlueNoroff APT Debuts 'Dumbed Down' macOS Malware

Kim Jong-Un's hackers are scraping the bottom of the barrel, using script kiddie-grade malware to steal devalued digital assets.

3 Min Read
DPRK flag and cryptocurrency abstract image
Source: Ink Drop via Alamy Stock Photo

North Korean state hackers have debuted a fresh Mac malware targeting users in the US and Japan, which researchers characterize as "dumbed down" but effective.

An arm of the DPRK's notorious Lazarus Group, BlueNoroff has been known to raise money for the Kim regime by targeting financial institutions — banks, venture capital firms, cryptocurrency exchanges and startups — and the individuals who use them.

Since earlier this year, researchers from Jamf Threat Labs have been tracking a BlueNoroff campaign they call "RustBucket," targeting MacOS systems. In a blog published on Tuesday, they revealed a new malicious domain mimicking a crypto exchange, and a rudimentary reverse shell called "ObjCShellz," which the group is using to compromise new targets.

"We've seen a lot of actions from this group over the past few months — not just us, but multiple security companies," says Jaron Bradley, director at Jamf Threat Labs. "The fact that they are able to accomplish their objectives using this dumbed down malware is definitely notable."

North Korean Hackers Targeting MacOS

ObjCShellz's first red flag was the domain it connected to: swissborg[.]blog, with an address eerily similar to, a site run by the legitimate cryptocurrency exchange SwissBorg.

This was consistent with BlueNoroff's latest social engineering tactics. In its ongoing RustBucket campaign, the threat actor has been reaching out to targets under the guise of being a recruiter or investor, bearing offers or the potential for partnership. Keeping up the ruse often involves registering command-and-control (C2) domains mimicking legitimate financial websites in order to blend in with ordinary network activity, the researchers explained.

The example below was captured by the Jamf team from the website of a legitimate venture capital fund, and used by BlueNoroff in its phishing efforts.

Screenshot from a legitimate investment page BlueNoroff uses in phishing

After initial access comes its MacOS-based malware — a growing trend and recent specialty of BlueNoroff.

"They're targeting developers and individuals that are holding these cryptocurrencies," Bradley explains, and, in opportunistic fashion, the group has not been content to target only those using one operating system. "You could go after a victim on a Windows computer, but a lot of times those users are going to be on Mac. So if you opt not to target that platform, then you're potentially opting out of a very large amount of cryptocurrency that could be stolen."

From a technical standpoint, however, ObjCShellz is utterly simplistic — a simple reverse shell for Apple computers, enabling command execution from an attacker's server. (The researchers suspect this tool is used in the late stages of multi-staged attacks.)

The binary was uploaded once from Japan in September, and three times from a US-based IP in mid-October, the Jamf researchers added.

In light of BlueNoroff's successes stealing crypto, Bradley urges Mac users to stay as vigilant as their Windows brethren.

"There's a lot of false understanding about how Macs are inherently safe, and there's definitely some truth to that," he says. "Mac is a safe operating system. But when it comes to social engineering, anyone's susceptible to running something malicious on their computer."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights