Jamf Threat Labs identified a new macOS malware variant attributed to the BlueNoroff APT group, linked to the Rustbucket campaign, embedded in a Mach-O universal binary labeled ProcessRequest. The malware communicates with swissborg.blog (resolved to 104.168.214.151), operates as a remote shell, and uses various anti-detection techniques and IOCs, with ObjCShellz as the research name. #BlueNoroff #RustBucket #ObjCShellz #SwissborgBlog #ProcessRequest #JamfThreatLabs #MachO
Keypoints
- Jamf Threat Labs ties the macOS malware to the BlueNoroff APT and the Rustbucket campaign, noting financial-motivated targets.
- The malware is a Mach-O universal binary named ProcessRequest, ad-hoc signed.
- C2 uses swissborg.blog, resolving to 104.168.214.151, and the domain looks designed to blend with legitimate crypto entities.
- The C2 URL is split into two strings and concatenated to evade static detection.
- The malware performs OS version checks via NSProcessInfo and sends data via an HTTP POST using NSURLSession, with a crafted JSON payload.
- It functions as a simple remote shell, executing attacker-provided commands with system() and logging outcomes via NSLog.
MITRE Techniques
- [T1059.004] Unix shell β The malware uses the system() function for command execution, inherently invoking sh -c. βThe malware utilizes the system() function for command execution, inherently invoking sh -c.β
- [T1218] Signed Binary Proxy Execution β The standalone binary, ProcessRequest, is ad-hoc signed. βThe standalone binary, labeled ProcessRequest, is ad-hoc signed.β
- [T1053] Scheduled Task/Job β The program sets up a repeating timer to trigger commands at intervals. βThe main functionβ¦ sets up a repeating timer using the startTimer method.β
- [T1566] Phishing β The Rustbucket-style operator reaches out under the guise of investor/head hunter to lure targets. βreaches out to a target claiming to be interested in partnering with or offering them something beneficial under the guise of an investor or head hunter.β
- [T1036] Masquerading β The domain swissborg.blog appears to resemble a legitimate crypto company to blend in. βdomain that looks like it belongs to a legitimate crypto company.β
- [T1071.001] Web protocols β The malware communicates with a C2 via HTTP POST using NSURLSession. βThis POST request uses the NSURLSession class to generate the user-agentβ¦β
- [T1027] Obfuscated/Compressed Files and Information β The C2 URL is split and concatenated to evade static-based detection. βsplits the command and control (C2) URL into two separate strings that get concatenated together.β
Indicators of Compromise
- [File hash] 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 β Universal Binary; 2 examples shown, plus 4 more hashes exist (if applicable)
- [IP address] 104.168.214.151 β C2 domain resolution and previous association with this actor
- [Domain] swissborg.blog β C2 domain; domain impersonation aligned with Rustbucket activity
- [Domain] coinbase.expublic.linkpc.net β related domain observed in VirusTotal context
- [File name] ProcessRequest β malware executable name; [File name] ObjCShellz β research name for the macOS variant
- [URL] hXXp://swissborg.blog/zxcv/bnm β one of the C2 endpoints; hXXp://swissborg.blog/ghjk/yuio β another endpoint
Read more: https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/