Saturday, December 14, 2024
HomeCyber Security NewsBlueNoroff Hackers Attacking Apple Users with New macOS Malware

BlueNoroff Hackers Attacking Apple Users with New macOS Malware

Published on

SIEM as a Service

A new malware variant is distributed by BlueNordoff APT group, a financially motivated threat group targeting cryptocurrency exchanges, venture capital firms, and banks.

This new campaign has similar characteristics to their RustBucket campaign.

BlueNoroff was first discovered in early 2014 during the beginning of North Korea’s Cyber efforts for financial gain to support their military operations, nuclear operations, and other vital resources.

- Advertisement - SIEM as a Service

Jamf Threat Labs discovery

The recent campaign by the BlueNoroff APT group was found to have a Mach-O universal binary that communicates with a domain that was classified as malicious by Jamf. Additionally, the executable was completely undetected in VirusTotal.

BlueNoroff Hackers Apple Users
VirusTotal report Source: Jamf

The standalone binary was named as “ProcessRequest” which communicates with the domain swissborg[.]blog.

There was a legitimate cryptocurrency exchange that goes under the similar domain name swissborg[.]com. In addition to this, they also have a blog under the path swissborg[.]com/blog.

swissborg[.]blog was found to be registered on May 31, 2023, and resolves to 104.168.214[.]151 IP address.

Moreover, there were several URLs found to be communicating with the malware. To evade detection, the malware splits the Command and Control URL into two separate strings and merges them.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Malware Analysis

The new malware variant is written in Objective-C and operates as a simple remote shell that executes commands from the threat actor’s server.

However, this malware was used at a later stage. However, the initial access to compromised systems remains unknown.

When executed, the malware sends a POST message to the hXXp://swissborg.blog/zxcv/bnm by calling the sendRequest function.

It also uses the operatingSystemVersionString function to find the macOS version. The malware also detects the CFNetwork framework version, DarwinVersion, and many other vital information.

The malware uses the system() function for command execution and logs the C2 server response through NSLog for queuing commands for execution.

A complete report about this threat group and the malware has been published by malware, which provides additional information regarding the SHA value, source code, RustBucket campaign, and additional information.

IoCs

79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 - Universal Binarye2af7a895aef936c2761289acafe564b4dc7ba4e - Intel
8dc95be0cf52c64e3d6c519e356b0c3f0d729bd4 - Arm
588d84953ae992c5de61d3774ce86e710ed42d29 - Universal Binary 
bc33f1a6c345e0452056ec08d25611b85c350b2e - Intel
677b119edfa1335b6eb9b7307b034bee512dbc1a - Arm
swissborg[.]blog - C2 Domain

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...