North Korea's BlueNoroff APT Debuts 'Dumbed Down' macOS Malware

North Korean state hackers have debuted a fresh Mac malware targeting users in the US and Japan, which researchers characterize as "dumbed down" but effective.

An arm of the DPRK's notorious Lazarus Group, BlueNoroff has been known to raise money for the Kim regime by targeting financial institutions — banks, venture capital firms, cryptocurrency exchanges and startups — and the individuals who use them.

Since earlier this year, researchers from Jamf Threat Labs have been tracking a BlueNoroff campaign they call "RustBucket," targeting MacOS systems. In a blog published on Tuesday, they revealed a new malicious domain mimicking a crypto exchange, and a rudimentary reverse shell called "ObjCShellz," which the group is using to compromise new targets.

"We've seen a lot of actions from this group over the past few months — not just us, but multiple security companies," says Jaron Bradley, director at Jamf Threat Labs. "The fact that they are able to accomplish their objectives using this dumbed down malware is definitely notable."

North Korean Hackers Targeting MacOS

ObjCShellz's first red flag was the domain it connected to: swissborg[.]blog, with an address eerily similar to swissborg.com/blog, a site run by the legitimate cryptocurrency exchange SwissBorg.

This was consistent with BlueNoroff's latest social engineering tactics. In its ongoing RustBucket campaign, the threat actor has been reaching out to targets under the guise of being a recruiter or investor, bearing offers or the potential for partnership. Keeping up the ruse often involves registering command-and-control (C2) domains mimicking legitimate financial websites in order to blend in with ordinary network activity, the researchers explained.

The example below was captured by the Jamf team from the website of a legitimate venture capital fund, and used by BlueNoroff in its phishing efforts.

Source: Jamf

After initial access comes its MacOS-based malware — a growing trend and recent specialty of BlueNoroff.

"They're targeting developers and individuals that are holding these cryptocurrencies," Bradley explains, and, in opportunistic fashion, the group has not been content to target only those using one operating system. "You could go after a victim on a Windows computer, but a lot of times those users are going to be on Mac. So if you opt not to target that platform, then you're potentially opting out of a very large amount of cryptocurrency that could be stolen."

From a technical standpoint, however, ObjCShellz is utterly simplistic — a simple reverse shell for Apple computers, enabling command execution from an attacker's server. (The researchers suspect this tool is used in the late stages of multi-staged attacks.)

The binary was uploaded once from Japan in September, and three times from a US-based IP in mid-October, the Jamf researchers added.

In light of BlueNoroff's successes stealing crypto, Bradley urges Mac users to stay as vigilant as their Windows brethren.

"There's a lot of false understanding about how Macs are inherently safe, and there's definitely some truth to that," he says. "Mac is a safe operating system. But when it comes to social engineering, anyone's susceptible to running something malicious on their computer."