Skip links

Fresh find shines new light on North Korea’s latest macOS malware

A brand-new macOS malware strain from North Korean state-sponsored hackers has been spotted in the wild.

Dubbed “ObjCShellz” by researchers at Jamf, the malware is thought to be a later-stage payload in the multi-stage RustBucket campaign targeting organizations in the financial services sector.

… years ago, the attacker had good odds that their victim would be running a Windows computer, [but] many users holding cryptocurrency and performing development work on crypto-related projects could easily be running a Mac

While the scale or success of the malware campaign isn’t currently understood, Jaron Bradley, director of Jamf Threat Labs, highlighted to The Register that the group behind the malware has been hugely successful in the past.

That group is BlueNoroff, otherwise tracked as APT38, TA444, which is believed to be a finance-focused sub-group of North Korea’s Lazarus offensive cyber operation.

Attribution of the group to the RustBucket malware family was made by numerous cybersecurity companies such as Proofpoint, Trend Micro, and Kaspersky after piecing together evidence and similarities from its numerous attacks in the past.

The malware itself is “simple,” Jamf said. Written in Objective-C, its primary purpose is to offer attackers remote shell capabilities sent to it from an attacker-controlled server.

It communicates with the URL swissborg.blog – one that piggybacks off the domain name of a legitimate cryptocurrency exchange. It was previously identified as being associated with cybercrime, but the Mach-O universal binary had not yet been detected by VirusTotal when the research was carried out.

The technique of using a domain similar in name to a crypto exchange was used in prior stages of the RustBucket macOS malware campaign earlier this year, Jamf noted. The researchers’ initial investigation into RustBucket was published shortly before the imitation SwissBorg domain was registered on May 31.

RustBucket is a family of different malware strains that were gradually unearthed over the course of the past six months by various security researchers.

A multi-stage approach to malware delivery, combined with continually developing new strains, is typically adopted by attackers who want to prevent analysis of its code, or at least make it more difficult. 

“Re-using malware is generally a good way to get detected,” said Bradley. “Developing new malware increases the odds of remaining hidden for the attacker. It ensures that antivirus vendors won’t be able to detect the malware based on previously used indicators. 

“Furthermore, sometimes a more simplistic piece of malware, such as the malware used here, might also be all that’s required for the attacker.”

As for the reason behind developing macOS malware when Windows still has a commanding share of the operating system market, Bradley said “we only have assumptions.”

“Unlike some malware campaigns where a social engineering attempt may be performed on a large number of individuals at a company, these actors are targeting specific users they suspect will hold access to cryptocurrency,” he said. 

“Although years ago, the attacker had good odds that their victim would be running a Windows computer, many users holding cryptocurrency and performing development work on crypto-related projects could easily be running a Mac. If the attacker is not equipped to deal with a Mac user, they may be missing a fairly large opportunity when it comes to the total value that could be stolen.”

How the RustBucket malware family works

The first stage of RustBucket requires strong social engineering to get the attack off the ground. It’s an AppleScript that masks itself as a PDF viewer app, one that Jamf said most likely won’t run without the user manually bypassing an Apple Gatekeeper check.

The attackers here try to convince the victim they need their specific PDF viewer to view a ‘sensitive’ document sent to them, but really it acts only as a dropper to download the second stage of the campaign, which is also an application that is disguised as an identical PDF viewer.

PDF viewer number two isn’t written in AppleScript, but rather in Objective-C, and using Apple’s PDFKit framework it functions as a legitimate PDF viewer app.

This app is the second stage of the malware but its capabilities are only unlocked when it’s used to open a malicious PDF, like a lock and key. If the malicious PDF is opened in Apple’s Finder app, for example, the PDF will only display one page prompting the target to open it in the malicious app, which purports to function for internal company documents only.

Once the app reads the malicious PDF, it looks for a specific blob of data which, if found, will trigger the app to generate a new nine-page, seemingly legitimate PDF, making it seem like the app was indeed necessary to open the file.

The completion of this process triggers the establishment of the attackers’ C2 infrastructure through which additional payloads can be downloaded, after the victim’s machine and OS version information are retrieved.

“This PDF viewer technique used by the attacker is a clever one,” said Jamf. “At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application.”

From there, the stage three payloads are downloaded and executed. There are two that are identified currently, one by Jamf and another by Elastic in June – both are written in Rust.

Jamf said ObjCShellz is thought to be a later-stage-stage payload in this attack chain, the full extent of which isn’t currently determined.

SentinelOne’s analysis suggests there are two stage-three payloads known to researchers, the most recent of which has persistence capabilities. 

It also noted in its writeup that it was aware of a next-stage malware beyond stage three but was unable to obtain a sample of it. It’s not clear whether that next stage was ObjCShellz or another strain that’s yet to be analyzed. ®

Source