Threat Research

100DaysofYARA – SpectralBlur

Securonix

SpectralBlur is a MacOS backdoor tracked as TA444 (Sapphire Sleet, BLUENOROFF, STARDUST CHOLLIMA) that researchers tie to SockRacket/KandyKorn and an early iteration of KANDYKORN, uncovered via domain investigations around pxaltonet.org and a dropped .macshare binary. The campaign uses RC4-wrapped C2 traffic and Mach-O artifacts to enable file transfer, shell access, and configuration updates, revealing cross-family links across SpectralBlur, SockRacket, and KandyKorn. #SpectralBlur #SockRacket #KandyKorn #TA444 #Interception #pxaltonet.org #MachO #MacOS

Keypoints

  • TA444 (SpectralBlur) MacOS backdoor with overlaps to SockRacket/KandyKorn and an early KandyKorn iteration.
  • Suspicious domain pxaltonet.org tipped by internet scan data; the auth subdomain delivered the .macshare file.
  • Static analysis shows Mach-O 64-bit characteristics and strings related to common UNIX-like functions; comparisons link to KandyKorn/SockRacket.
  • Capabilities include uploading/downloading files, running a shell, updating configuration, deleting files, and sleeping/hibernating based on C2 commands.
  • C2 communications are RC4-wrapped sockets, with observable API-like strings and commands (e.g., _proc_*) used to control behavior.
  • The investigation traces cross-family similarities and notes a phishing campaign that helped pull in KandyKorn, suggesting shared tooling or builders.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The malware can upload/download files and perform tool transfers via C2; “can upload/download files” and related capabilities are active under C2 control. “SpectralBlur is a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2.”
  • [T1059.004] Command and Scripting Interpreter – The backdoor can run a shell; mentions “SHELL” and “/bin/sh” in the strings. “run a shell” and the presence of “/bin/sh” ascii wide in the code.
  • [T1027] Obfuscated/Compressed Files and Information – Communications are wrapped in RC4, indicating obfuscated data exchange with the C2. “communicates via sockets wrapped in RC4”
  • [T1107] File Deletion – The backdoor can delete files as part of its operations. “delete files” is listed among capabilities.

Indicators of Compromise

  • [Domain] pxaltonet.org – suspicious domain tipped by scan data linked to Interception cluster.
  • [Domain] auth.pxaltonet.org – subdomain used to deliver the .macshare binary.
  • [File] .macshare – the downloaded payload.
  • [File] /usr/lib/libSystem.B.dylib – loaded library referenced in the binary’s behavior.
  • [File] /usr/lib/dyld – Mach-O loader reference observed in the sample.
  • [File] /bin/sh – shell referenced in strings and potential command execution path.
  • [File] /dev/null – used as a placeholder in the strings block.

Read more: https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint