Jamf Threat Labs Uncovers a Stealthy Malware Strain from BlueNoroff APT

Jamf Threat Labs has recently uncovered a discreet, yet potent, malware variant tied to the notorious BlueNoroff APT group. Known for their financially driven forays, particularly targeting the cryptocurrency space, venture capital entities, and banks, BlueNoroff’s latest stratagem involves a universal binary that slipped under the radar of VirusTotal’s extensive database – a discovery that sets off alarm bells within the cybersecurity community.

BlueNoroff APT

This binary, aptly named ‘ProcessRequest,’ carries the hallmark of being ad-hoc signed and has been caught red-handed in secret conversations with a suspicious domain, swissborg[.]blog. The domain’s closeness to the legitimate swissborg.com, which operates a verified blog, hints at the attackers’ clever tactics in masking their malicious intents. By splitting the command and control (C2) URL into discrete strings only to be reunited later, the malware seeks to slide past static detection mechanisms.

The link between the malevolent activities associated with this domain and BlueNoroff’s ‘Rustbucket’ campaign is undeniable. In this campaign, the modus operandi is to feign investment interest or to dangle enticing propositions to potential targets, effectively camouflaging themselves within legitimate network traffic.

The suspicious domain, set up on May 31, 2023, leads to an IP address with a checkered history of associations with malware, indicative of BlueNoroff’s fingerprints. Although the malware’s C2 server ceased communication shortly after being probed by Jamf, the silence from the server does not diminish the threat it poses.

macOS malware

Traces of this malware’s proliferation have surfaced across nations such as Japan and the USA, with instances reported as recent as September and October. The malware itself, crafted in Objective-C, operates as a remote shell, executing commands dispatched from the attacker’s server. This suggests a possible second-stage deployment where the malware enters the scene post-system compromise, with the attacker pulling the strings from afar.

Upon execution, the malware immediately phones home, sending a POST request to a hardcoded URL, cleverly generating a user agent that mirrors legitimate app traffic – a testament to the craftiness of its creators. The malware is audaciously communicative, capturing the system’s macOS version and relaying it back, all the while dressed up in a JSON-formatted disguise.

The malware responds to the C2’s beck and call, executing commands via the system function, and boldly logs its actions – a somewhat arrogant move for a piece of software designed to operate in the shadows. A meticulously set timer ensures that the malware persistently reaches out to its commander, facilitated by the NSRunLoop class, ensuring it never sleeps.

“Although fairly simple, this malware is still very functional and will help attackers carry out their objectives. This seems to be a theme with the latest malware we’ve seen coming from this APT group,” the researcher concluded.

Jamf Threat Labs, calling it ‘ObjCShellz’ and placing it within the RustBucket campaign narrative, warns of its potential role in a larger scheme of multi-stage malware attacks that leverage social engineering to gain a foothold.