North Korean Hacker Group Lazarus BlueNoroff Targets Crypto Industry with macOS Malware

Published: November 08, 2023 at 3:07 am Updated: November 08, 2023 at 3:07 am

Edited and fact-checked:
November 08, 2023 at 3:07 am

Security researchers at Jamf have identified a new macOS malware, potentially deployed by the notorious North Korean hacker group known as Lazarus BlueNoroff.

This discovery follows recent incidents involving the KandyKorn malware, also attributed to North Korean operatives.

The BlueNoroff team has been utilizing a legitimate-looking cryptocurrency exchange blog, hosted under a domain resembling the genuine Swissborg site, to establish credibility. By splitting the command and control (C2) URL into two strings before recombining them, the malware evades detection based on static signatures.

Deception and Delivery from Hackers

BlueNoroff representatives, masquerading as investors or headhunters, approach their targets offering lucrative opportunities. Once they gain the target’s trust, they deliver the Trojan designed for macOS systems. Cryptocurrency platform operators should scrutinize their traffic control systems proactively to identify any related access records that might signal a breach.

Jamf has identified a malware named ObjCShellz, believed to be a sophisticated component of the so-called RustBucket Campaign, and it appears to function as a late-stage tool in a complex, multi-layered attack strategy. Despite its apparent simplicity, the remote shell it provides is highly effective, allowing attackers to execute macOS commands covertly.

The C2 server was abruptly taken offline when researchers began probing for more details, a common tactic to hinder investigations. However, the server’s shutdown could also indicate that the malware has already accomplished its objectives.

BlueNoroff hackers backdoor Macs with new ObjCShellz malware – @serghei https://t.co/tGQruRNCu8 https://t.co/tGQruRNCu8

— BleepingComputer (@BleepinComputer) November 7, 2023

Implications for the Crypto Industry

The typosquatting domain suggests a phishing campaign targeting the Swissborg cryptocurrency exchange, characteristic of BlueNoroff’s RustBucket campaign. The situation underscores the group’s ongoing efforts to innovate in cyber warfare, developing malware undetected in previous security measures.

While the C2 server is currently inactive, industry stakeholders should not discount the threat. To mitigate risks, users should proactively block communication with known malicious IP addresses and stay alert for any potential reactivation that could trigger dormant infections.

The relentless advancements of the Lazarus/BlueNoroff group serve as a stark reminder of the persistent and evolving nature of cyber threats. With their capabilities extending into the development of new malware, the crypto industry must remain vigilant and proactive in adopting comprehensive cybersecurity strategies to protect their assets and users.

Disclaimer

Any data, text, or other content on this page is provided as general market information and not as investment advice. Past performance is not necessarily an indicator of future results.

The Trust Project is a worldwide group of news organizations working to establish transparency standards.

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master’s degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Nik Asti