Friday, November 1, 2024
HomeCyber Security NewsBlueNoroff Hackers Attacking Apple Users with New macOS Malware

BlueNoroff Hackers Attacking Apple Users with New macOS Malware

Published on

Malware protection

A new malware variant is distributed by BlueNordoff APT group, a financially motivated threat group targeting cryptocurrency exchanges, venture capital firms, and banks.

This new campaign has similar characteristics to their RustBucket campaign.

BlueNoroff was first discovered in early 2014 during the beginning of North Korea’s Cyber efforts for financial gain to support their military operations, nuclear operations, and other vital resources.

- Advertisement - SIEM as a Service

Jamf Threat Labs discovery

The recent campaign by the BlueNoroff APT group was found to have a Mach-O universal binary that communicates with a domain that was classified as malicious by Jamf. Additionally, the executable was completely undetected in VirusTotal.

BlueNoroff Hackers Apple Users
VirusTotal report Source: Jamf

The standalone binary was named as “ProcessRequest” which communicates with the domain swissborg[.]blog.

There was a legitimate cryptocurrency exchange that goes under the similar domain name swissborg[.]com. In addition to this, they also have a blog under the path swissborg[.]com/blog.

swissborg[.]blog was found to be registered on May 31, 2023, and resolves to 104.168.214[.]151 IP address.

Moreover, there were several URLs found to be communicating with the malware. To evade detection, the malware splits the Command and Control URL into two separate strings and merges them.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Malware Analysis

The new malware variant is written in Objective-C and operates as a simple remote shell that executes commands from the threat actor’s server.

However, this malware was used at a later stage. However, the initial access to compromised systems remains unknown.

When executed, the malware sends a POST message to the hXXp://swissborg.blog/zxcv/bnm by calling the sendRequest function.

It also uses the operatingSystemVersionString function to find the macOS version. The malware also detects the CFNetwork framework version, DarwinVersion, and many other vital information.

The malware uses the system() function for command execution and logs the C2 server response through NSLog for queuing commands for execution.

A complete report about this threat group and the malware has been published by malware, which provides additional information regarding the SHA value, source code, RustBucket campaign, and additional information.

IoCs

79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 - Universal Binarye2af7a895aef936c2761289acafe564b4dc7ba4e - Intel
8dc95be0cf52c64e3d6c519e356b0c3f0d729bd4 - Arm
588d84953ae992c5de61d3774ce86e710ed42d29 - Universal Binary 
bc33f1a6c345e0452056ec08d25611b85c350b2e - Intel
677b119edfa1335b6eb9b7307b034bee512dbc1a - Arm
swissborg[.]blog - C2 Domain

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...