Cybersecurity researchers from Jamf has discovered a new macOS malware designed and distributed by the North Korean threat actor BlueNoroff.
ObjCShellz looks to execute shell commands sent from the attacker’s server, on compromised endpoints.
While Jamf couldn’t uncover how the malware was being distributed, it says that the campaign “greatly aligns” with a previous campaign called Rustbucket.
Part of Lazarus
"In this campaign, the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the guise of an investor or head hunter,” the researchers explained. “BlueNoroff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity."
Jamf describes BlueNoroff as a “financially motivated hacking group” known for targeting crypto exchanges, financial organizations, and banks, all over the world.
Earlier reports also describe the group as a department within the Lazarus Group, a North Korean state-sponsored threat actor blamed for some of the biggest crypto heists in history.
Allegedly, Lazarus is part of the Reconnaissance General Bureau (RGB), the main intelligence agency of North Korea.
The researchers described ObjCShellz as a “fairly simple” but very functional malware that gets the job done. “This seems to be a theme with the latest malware we've seen coming from this APT group," Jamf said.
"Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering."
The last time we heard of BlueNoroff was in early July this year, when cybersecurity researchers from Elastic Security Labs found a new version of Rustbucket, targeting macOS endpoints.
The new version was said to be more persistent and harder to detect.
More from TechRadar Pro
- This sneaky new malware is targeting macOS devices without them noticing - here's what you need to know
- Here's a list of the best firewalls today
- These are the best malware removal tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.