Crypto-Targeting BlueNoroff APT Expands Arsenal with New macOS Malware

In the cyber realm, where threats evolve rapidly, a new chapter unfolds with the discovery of a novel and menacing Trojan targeting macOS users – the BlueNoroff loader. This revelation, unearthed by cybersecurity experts from Kaspersky, marks a significant shift in the tactics of the BlueNoroff APT gang, infamously known for attacking financial and cryptocurrency-related entities.

Initially identified in a post on X (formerly Twitter), the loader was craftily concealed within a seemingly innocuous ZIP archive. The file, named “Crypto-assets and their risks for financial stability,” appeared legitimate with an appropriate title page, luring unsuspecting victims into its trap. Created on October 21, 2023, the app, “EdoneViewer,” is a universal format executable compatible with both Intel and Apple Silicon chips.

Original X (formerly Twitter) post about the new loader | Image: Kaspersky

Upon execution, the app unleashes a deceptive onslaught. It executes an AppleScript to download and open a benign PDF file as a diversion, while simultaneously sending a POST request to a server. This action saves the server’s response to a hidden file named “.pw,” which is then executed with the Command & Control (C&C) server address as an argument.

The C&C server, hosted at hxxp://on-global[.]xyz, was registered recently, on October 20, 2023. This server communicates with the .pw file, a Trojan detected back in August. The Trojan collects comprehensive system information, including the computer name, OS version, time zone, device startup date, and a list of running processes. This data is collected and forwarded in cycles every minute.

As the world of technology advances, so do the threats it faces. The BlueNoroff loader for macOS is a stark reminder of the importance of vigilance in cybersecurity. Users are advised to be cautious of suspicious downloads and maintain up-to-date anti-malware solutions.