ObjCShellz Malware
BlueNoroff, a nation-state group with ties to North Korea, is now associated with a macOS malware strain known as ObjCShellz, which was previously undocumented. This threat is a critical player in the RustBucket malware campaign, which first emerged in early 2023.
Examining BlueNoroff's past activities, researchers believe that ObjCShellz functions as a late-stage component in a multi-stage malware system delivered through social engineering tactics. BlueNoroff, also known by various aliases such as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, operates as a subset of the infamous Lazarus Group. Specializing in financial crimes, this hacker group targets banks and the crypto sector, aiming to bypass sanctions and generate unlawful profits for the regime.
Table of Contents
The Lazarus APT Group Remains an Active Cybercrime Threat Actor
The ObjCShellz discovery comes shortly after reports of the APT (Advanced Persistent Threat) Lazarus Group employing a fresh macOS malware named KANDYKORN to target blockchain engineers. Another macOS malware associated with this threat actor is RustBucket, characterized as an AppleScript-based backdoor designed to fetch a second-stage payload from a server controlled by the attacker.
These attacks follow a pattern where potential targets are enticed with the promise of investment advice or a job opportunity. However, the true intent is to initiate the infection process through the use of a decoy document.
The ObjCShellz Malware Is Simple Yet Effective
Named ObjCShellz due to it being created in Objective-C, this malware serves as a straightforward remote shell. It executes shell commands received from the attacker's server.
The researchers lack specific information regarding the official targets of ObjCShellz. However, considering the observed attacks in 2023 and the domain name created by the attackers, it is likely that the malware was employed against a company associated with the cryptocurrency industry or closely connected to it.
The precise method of initial access for the attack remains unknown at present. There is suspicion that the malware is delivered as a post-exploitation payload, enabling manual execution of commands on the compromised machine. Despite its simplicity, ObjCShellz proves to be highly functional, serving the attackers well in achieving their objectives.
Researchers Warn That North Korea-Related Hacker Groups Are Evolving
The revelation regarding ObjCShellz coincides with the transformation and restructuring of North Korea-sponsored groups like Lazarus. These groups are increasingly collaborating to exchange tools and tactics, creating a blurred landscape as they persist in crafting customized malware for both Linux and macOS.
Experts believe that the entities orchestrating campaigns, such as 3CX and JumpCloud, are actively involved in the development and sharing of diverse toolsets. This collaboration suggests that additional macOS malware campaigns consisting of improved and more streamlined malware tools could be on the horizon.
