Security experts have recently uncovered a new strain of malware linked to the BlueNoroff Advanced Persistent Threat (APT) group, a notorious entity known for its financially motivated cyber attacks on cryptocurrency exchanges, venture capital firms, and banks. The discovery was made during routine threat hunting, where researchers at Jamf Threat Labs identified a Mach-O universal binary communicating with a known malicious domain.
The standalone binary, named “ProcessRequest,” has raised red flags due to its connection to a previously identified malicious domain. Of particular concern is the resemblance of this domain to that of a legitimate cryptocurrency exchange, adding an extra layer of complexity to the situation. According to Jamf researcher Ferdous Saljooki, this activity aligns with BlueNoroff’s Rustbucket campaign, where the group masquerades as investors or headhunters to infiltrate their targets.
The malicious domain was registered in May 2023 and pointed to a specific IP address. Despite the use of various URLs for communication, the command-and-control (C2) server remained unresponsive and eventually went offline following analysis. In a technical breakdown, Saljooki revealed that the malware, coded in Objective-C, operates as a basic remote shell, executing commands from the attacker server.
While the initial method of access remains unclear, the malware seems to be leveraged in later stages for manual command execution post-compromise. Dubbed ObjCShellz, the malware communicates with the C2 server via a POST message to a designated URL, collecting system information from the infected macOS device and generating a user-agent for communication purposes.
The malware’s capability to execute commands remotely is a key feature, enabling attackers to take control of compromised systems. Saljooki noted, “Although relatively straightforward, this malware is highly functional and facilitates attackers in achieving their objectives. This trend appears consistent with recent malware associated with this APT group.”
Drawing from past attacks by BlueNoroff, it is suspected that this malware represents a later stage in a multi-step cyber attack, likely delivered through social engineering tactics. The continuous evolution of tactics and tools by threat actors like BlueNoroff underscores the importance of vigilance and robust cybersecurity measures in today’s digital landscape.