Security Researchers Uncover New Malware Variant Linked to BlueNoroff APT Group
Security researchers have recently uncovered a new malware variant believed to be associated with the notorious BlueNoroff Advanced Persistent Threat (APT) group. Known for its financially motivated campaigns, BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.
Discovery of the Malware
The discovery of this new malware variant came during routine threat hunting by Jamf Threat Labs. The team found a Mach-O universal binary named “ProcessRequest” communicating with a known malicious domain. This standalone binary has raised concerns due to its interaction with the flagged domain, which is similar to that of a legitimate cryptocurrency exchange.
According to Jamf researcher Ferdous Saljooki, the activity observed aligns with BlueNoroff’s Rustbucket campaign, where the APT group poses as investors or headhunters to infiltrate their targets.
Technical Analysis
The malicious domain associated with the malware was registered in May 2023 and resolved to a specific IP address. While the malware used various URLs for communication, the command-and-control (C2) server became unresponsive and eventually went offline following analysis.
Saljooki explained that the malware, written in Objective-C and named ObjCShellz, functions as a remote shell that executes shell commands sent from the attacker’s server. This capability allows the attacker to have remote control over compromised systems, enabling them to carry out their objectives.
Implications and Suspicions
Although the initial access method remains unclear, it is believed that the malware is used in later stages to manually run commands after a system has been compromised. Based on previous attacks by BlueNoroff, it is suspected that this malware was part of a multi-stage attack delivered via social engineering.
Saljooki highlighted the functionality and sophistication of the malware, emphasizing that even seemingly simple malware can be highly effective in the hands of attackers. The discovery of this new variant sheds light on the evolving tactics of the BlueNoroff APT group and underscores the importance of ongoing vigilance and detection efforts.