Friday, December 8, 2023

BlueNoroff Hackers Attacking Apple Users with New macOS Malware

A new malware variant is distributed by BlueNordoff APT group, a financially motivated threat group targeting cryptocurrency exchanges, venture capital firms, and banks.

This new campaign has similar characteristics to their RustBucket campaign.

BlueNoroff was first discovered in early 2014 during the beginning of North Korea’s Cyber efforts for financial gain to support their military operations, nuclear operations, and other vital resources.

Jamf Threat Labs discovery

The recent campaign by the BlueNoroff APT group was found to have a Mach-O universal binary that communicates with a domain that was classified as malicious by Jamf. Additionally, the executable was completely undetected in VirusTotal.

BlueNoroff Hackers Apple Users
VirusTotal report Source: Jamf

The standalone binary was named as “ProcessRequest” which communicates with the domain swissborg[.]blog.

There was a legitimate cryptocurrency exchange that goes under the similar domain name swissborg[.]com. In addition to this, they also have a blog under the path swissborg[.]com/blog.

swissborg[.]blog was found to be registered on May 31, 2023, and resolves to 104.168.214[.]151 IP address.

Moreover, there were several URLs found to be communicating with the malware. To evade detection, the malware splits the Command and Control URL into two separate strings and merges them.

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Malware Analysis

The new malware variant is written in Objective-C and operates as a simple remote shell that executes commands from the threat actor’s server.

However, this malware was used at a later stage. However, the initial access to compromised systems remains unknown.

When executed, the malware sends a POST message to the hXXp:// by calling the sendRequest function.

It also uses the operatingSystemVersionString function to find the macOS version. The malware also detects the CFNetwork framework version, DarwinVersion, and many other vital information.

The malware uses the system() function for command execution and logs the C2 server response through NSLog for queuing commands for execution.

A complete report about this threat group and the malware has been published by malware, which provides additional information regarding the SHA value, source code, RustBucket campaign, and additional information.


79337ccda23c67f8cfd9f43a6d3cf05fd01d1588 - Universal Binarye2af7a895aef936c2761289acafe564b4dc7ba4e - Intel
8dc95be0cf52c64e3d6c519e356b0c3f0d729bd4 - Arm
588d84953ae992c5de61d3774ce86e710ed42d29 - Universal Binary 
bc33f1a6c345e0452056ec08d25611b85c350b2e - Intel
677b119edfa1335b6eb9b7307b034bee512dbc1a - Arm
swissborg[.]blog - C2 Domain

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles