A new malware variant is distributed by BlueNordoff APT group, a financially motivated threat group targeting cryptocurrency exchanges, venture capital firms, and banks.
This new campaign has similar characteristics to their RustBucket campaign.
BlueNoroff was first discovered in early 2014 during the beginning of North Korea’s Cyber efforts for financial gain to support their military operations, nuclear operations, and other vital resources.
Jamf Threat Labs discovery
The recent campaign by the BlueNoroff APT group was found to have a Mach-O universal binary that communicates with a domain that was classified as malicious by Jamf. Additionally, the executable was completely undetected in VirusTotal.
The standalone binary was named as “ProcessRequest” which communicates with the domain swissborg[.]blog.
There was a legitimate cryptocurrency exchange that goes under the similar domain name swissborg[.]com. In addition to this, they also have a blog under the path swissborg[.]com/blog.
swissborg[.]blog was found to be registered on May 31, 2023, and resolves to 104.168.214[.]151 IP address.
Moreover, there were several URLs found to be communicating with the malware. To evade detection, the malware splits the Command and Control URL into two separate strings and merges them.
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Malware Analysis
The new malware variant is written in Objective-C and operates as a simple remote shell that executes commands from the threat actor’s server.
However, this malware was used at a later stage. However, the initial access to compromised systems remains unknown.
When executed, the malware sends a POST message to the hXXp://swissborg.blog/zxcv/bnm by calling the sendRequest function.
It also uses the operatingSystemVersionString function to find the macOS version. The malware also detects the CFNetwork framework version, DarwinVersion, and many other vital information.
The malware uses the system() function for command execution and logs the C2 server response through NSLog for queuing commands for execution.
A complete report about this threat group and the malware has been published by malware, which provides additional information regarding the SHA value, source code, RustBucket campaign, and additional information.
IoCs
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 - Universal Binarye2af7a895aef936c2761289acafe564b4dc7ba4e - Intel 8dc95be0cf52c64e3d6c519e356b0c3f0d729bd4 - Arm 588d84953ae992c5de61d3774ce86e710ed42d29 - Universal Binary bc33f1a6c345e0452056ec08d25611b85c350b2e - Intel 677b119edfa1335b6eb9b7307b034bee512dbc1a - Arm swissborg[.]blog - C2 Domain
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications:Â Try Free Trial.