Beware of BlueNoroff: Mac users are victims of a new malware variant

Security researchers have lifted the lid on what appears to be a variant of the infamous RustBucket malware targeting macOS systems . What was first discovered earlier in April, a new report from Jamf Threat Labs shows how this attack continues to evolve and who its potential targets could be.

RustBucket is a relatively new form of malware specifically targeted at Mac users. It is the work of a North Korean Advanced Persistent Threat (APT) group called BlueNoroff, a subgroup of the renowned state-owned cybercrime enterprise Lazarus Group.

On Tuesday, Apple security experts at Jamf Threat Labs revealed details that , they believe is a new late-stage malware variant for macOS, tracked as ObjCShellz by BlueNoroff, which is closely related to RustBucket. “Late stage” refers to the time of initial infection and often involves data leakage, persistence, or lateral movement within the network.

BlueNoroff often approaches potential victims under the guise of an investor or bounty hunter for the company, according to Jamf. It is also not uncommon for attackers to create domains that appear to belong to a legitimate cryptocurrency company in order to blend in with network activity.

The discovery of ObjCShellz (a variant similar to RustBucket) comes after Jamf researchers discovered a generic macOS binary interacting with the domain previously classified as malicious.

“This executable file was not detected on VirusTotal at the time of our analysis, which piqued our interest,” he said. Jamf stated.

RustBucket compromises its targets using various methods such as phishing emails, malicious websites, and drive-by downloads. Once infected, the malware communicates with command and control (C2) servers to download and execute various payloads. Most elusive, however, is its ability to pass through virus scanners like VirusTotal completely undetected.

And that's exactly what this new variant has done.

VirusTotal scan report showing what's in the executable of the new variants no malicious activity detected. via Jamf Security Lab

In an attempt to contact the new variant's C2 server, Jamf researchers performed a DNS rotation from the original malicious domain and discovered several more URLs used for communication. They were ultimately unsuccessful, and the C2 server immediately went down shortly thereafter.

“Over the past few months, Jamf Threat Labs has discovered various malware distribution campaigns orchestrated by this elusive entity, Advanced Persistent Threat Labs, in an attempt to steal digital assets from victims,”” Jaron Bradley, director of Jamf Threat Labs, told 9to5Mac.

“Our latest research sheds light on previously unreported malware that BlueNoroff uses to create covert communication channels on compromised systems. This hidden program allows attackers to send and receive data while the victim continues to use their computer, evading detection.”

ObjCShellz and similar variants can pose a serious threat to Mac users. However, there are several ways to protect yourself.

  1. Most importantly, be careful when opening email attachments, especially if the sender is unknown. Malware can spread through infected attachments.
  2.  Make sure you are running the latest version of macOS with all security patches included. This helps eliminate known vulnerabilities that can be exploited by malware.
  3.  Install reliable antivirus and antivirus software on your Mac that can also detect and block malicious websites. While it's true that ObjCShellz can slip through the cracks, it's always a good idea to have an extra layer of protection on your Mac.

For the full Jamf report, visit the new malware variant page and view indicators of compromise here.

Leave a Reply

Your email address will not be published. Required fields are marked *