Jamf Spots New MacOS Crypto Malware Attributed to North Korea’s Lazarus BlueNoroff Group
BlueNoroff, the notorious hackers’ group with links to North Korea’s Lazarus, has debuted a fresh MacOS malware targeting financial institutions.
Uncovered by researchers from the Apple device management firm – Jamf, the perpetrators have been hiding behind a legitimate-looking cryptocurrency exchange.
According to a detailed report by Jamf published Tuesday, the malicious payload communicates with swissborg[.]blog domain, controlled by the attackers. The actors registered the domain on May 31 and hosted at an IP address, part of BlueNoroff infrastructure.
“The malware splits the command and control (C2) URL into two separate strings that get concatenated together. This is likely an attempt to evade static-based detection,” the report explains.
The news comes days after the infamous Lazarus Group used a new malware dubbed “Kandykorn” to target a crypto exchange. The group apparently deployed the advanced Kandykorn malware through a complex 5-stage process, featuring reflective loading.
BlueNoroff is a threat actor that specifically targets cryptocurrencies and crypto startups, and financial entities such as banks.
Jamf Threat Labs noted that the new malware, discovered at a later-stage, shares similar characteristics with BlueNoroff’s RustBucket campaign.
Identified in April this year, the campaign works to compromise macOS devices. Actors reach targets directly claiming to be an investor or head hunter, offering beneficial partnerships.
BlueNoroff also created a domain for the RustBucket campaign, that looks like it belongs to a legitimate crypto company. The aim was to blend with network activity to evade detection.
The Jamf team used the same method to detect the new malware. The new MacOS crypto-malware has links to several
Read more on cryptonews.com
