North Korean ‘BlueNoroff’ group targeting financial institutions with macOS malware

A North Korean government-backed hacking group is targeting financial institutions with malware affecting macOS.

Researchers at the security firm Jamf said in a new report that an advanced persistent threat group known as BlueNoroff is targeting cryptocurrency exchanges, venture capital firms and banks with financially motivated attacks.

The U.S. Treasury Department considers BlueNoroff APT hackers a subgroup of Lazarus, the most notorious North Korea-based government hackers tracked by researchers and governments.

The latest campaign — which Jamf Threat Labs researchers aligned with a previous campaign they called “Rustbucket” —- involves malware that can exploit Mac devices.

The researchers told Recorded Future News that the simplicity of the malware, which they call ObjCShellz, is what stood out most to them.

“Most malware is highly complex whereas this malware appears to be a bit lazy with minimal features,” a spokesperson said.

“The malware does not directly resemble other malware that we're aware of from a code perspective. That being said, since it's simplistic, there isn't much to go off of. The domain held within the code and the fact that it's able to receive and carry out commands from that domain are the major red flags.”

The researchers became interested in it after discovering malware that had not been submitted to VirusTotal, a repository for malicious software. Submissions from Japan and the U.S. were made in September and October after they had begun looking into the malware.

They found other clues that piqued their interest, including the fact that it communicated with a domain that appeared to be linked to a crypto company. Jamf Threat Labs said BlueNoroff typically “creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity.”

In this case, the group was communicating with the domain swissborg[.]blog, a knock-off of the crypto exchange swissborg.com/blog registered on May 31.

“The activity seen here greatly aligns with the activity we’ve seen from BlueNoroff in what Jamf Threat Labs tracks as the Rustbucket campaign where the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the disguise of an investor or head hunter,” they said.

It is still unclear how the initial access is gained by the hackers but they suspect the malware is delivered through social engineering attacks. It is then used at a later stage in the attack and delivers information about the macOS device and more.

Ngoc Bui, a cybersecurity expert at Menlo Security, noted that the group has previously used phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems.

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection,” Bui said, adding that the strain dangerous because it is masked as legitimate software.

“For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

In 2019, the U.S. Treasury Department sanctioned the group and said BlueNoroff was “formed by the North Korean government to earn revenue illicitly in response to increased global sanctions.”

“Bluenoroff conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs,” they said.

“Cybersecurity firms first noticed this group as early as 2014, when North Korea’s cyber efforts began to focus on financial gain in addition to obtaining military information, destabilizing networks, or intimidating adversaries.”

By 2018, the Treasury said, the group had attempted to steal more than $1.1 billion from targets and had carried out attacks against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

One of its most notable attacks included the theft of $80 million dollars from the Central Bank of Bangladesh’s New York Federal Reserve account.

Russian security firm Kaspersky said it linked BlueNoroff to numerous hacks at cryptocurrency companies in Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the U.S., Hong Kong, Singapore, the United Arab Emirates and Vietnam.

The group is accused of stealing $55 million from the bZx DeFi platform in 2021. North Korea’s state-sponsored hacking groups have been accused of stealing the equivalent of billions of dollars from victims worldwide, which the North Korean regime allegedly uses to fund its nuclear missile program.