BlueNoroff Hackers Attacking Apple Users with New macOS Malware

A new malware variant is distributed by BlueNordoff APT group, a financially motivated threat group targeting cryptocurrency exchanges, venture capital firms, and banks.

This new campaign has similar characteristics to their RustBucket campaign.

BlueNoroff was first discovered in early 2014 during the beginning of North Korea’s Cyber efforts for financial gain to support their military operations, nuclear operations, and other vital resources.

Jamf Threat Labs discovery

The recent campaign by the BlueNoroff APT group was found to have a Mach-O universal binary that communicates with a domain that was classified as malicious by Jamf. Additionally, the executable was completely undetected in VirusTotal.

The standalone binary was named as “ProcessRequest” which communicates with the domain swissborg[.]blog.

There was a legitimate cryptocurrency exchange that goes under the similar domain name swissborg[.]com. In addition to this, they also have a blog under the path swissborg[.]com/blog.

swissborg[.]blog was found to be registered on May 31, 2023, and resolves to 104.168.214[.]151 IP address.

Moreover, there were several URLs found to be communicating with the malware. To evade detection, the malware splits the Command and Control URL into two separate strings and merges them.

Malware Analysis

The new malware variant is written in Objective-C and operates as a simple remote shell that executes commands from the threat actor’s server.

However, this malware was used at a later stage. However, the initial access to compromised systems remains unknown.

When executed, the malware sends a POST message to the hXXp://swissborg.blog/zxcv/bnm by calling the sendRequest function.

It also uses the operatingSystemVersionString function to find the macOS version. The malware also detects the CFNetwork framework version, DarwinVersion, and many other vital information.

The malware uses the system() function for command execution and logs the C2 server response through NSLog for queuing commands for execution.

A complete report about this threat group and the malware has been published by malware, which provides additional information regarding the SHA value, source code, RustBucket campaign, and additional information.

IoCs

79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 - Universal Binarye2af7a895aef936c2761289acafe564b4dc7ba4e - Intel
8dc95be0cf52c64e3d6c519e356b0c3f0d729bd4 - Arm
588d84953ae992c5de61d3774ce86e710ed42d29 - Universal Binary 
bc33f1a6c345e0452056ec08d25611b85c350b2e - Intel
677b119edfa1335b6eb9b7307b034bee512dbc1a - Arm
swissborg[.]blog - C2 Domain

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.