Threat Research

New MacOS Malware Linked to North Korean Hackers

Securonix

Jamf has identified ObjCShellz, a new macOS malware linked to North Korean BlueNoroff/Lazarus actors and likely part of the RustBucket Campaign, targeting crypto exchanges. The sample shows a simple remote-shell capability with a hardcoded C2 address, and researchers note its unsophisticated design alongside a potentially ongoing phishing-related operation. #ObjCShellz #BlueNoroff #Lazarus #RustBucketCampaign #Swissborg #KandyKorn

Keypoints

  • ObjCShellz is a new macOS malware linked to BlueNoroff/Lazarus and suspected to be part of the RustBucket Campaign.
  • Described as a late-stage component of a multi-stage attack, functioning as a simple remote shell to run commands from a C2 server.
  • The C2 server address is hardcoded in the malware and hosted at a domain associated with Swissborg, which researchers probed but the server was taken offline.
  • The malware logs both successful and failed command responses, an unusual trace for sophisticated malware.

MITRE Techniques

  • [T1059.004] Unix shell – The malware provides a remote shell to execute macOS instructions from a C2 server and collect responses. ‘It’s a rather simplistic remote shell,’ … ‘It allows the attacker to deliver macOS instructions from a C2 server and collect the responses.’
  • [T1071.001] Application Layer Protocol – C2 communications rely on a hardcoded C2 address embedded in the malware for command and response exchange. ‘The address of the C2 server is hardcoded within the malware.’
  • [T1566.001] Phishing: Spearphishing Link – Typosquatting on a crypto-targeted domain suggests a phishing campaign targeting this cryptocurrency. ‘typosquatting suggests a phishing campaign targeting this particular cryptocurrency.’

Indicators of Compromise

  • [IP] context – 104.168.214.151, used with BlueNoroff malware; block this IP as a precaution
  • [Domain] context – swissborg[.]blog (hardcoded C2 domain) and related typosquatted domain referencing swissborg.com
  • [Domain] context – swissborg.com (typo-squatting target domain) – cited as legitimate domain probed by typosquatting

Read more: https://www.securityweek.com/new-macos-malware-linked-to-north-korean-hackers/