Security researchers have discovered a new variant of the malware ObjCShellz, attributed to the BlueNoroff group. This malicious agent is already known for several campaigns that have targeted the financial sector, demonstrating a certain predilection for the exchange of cryptocurrencies they banking institutions.
The new version of the malware, identified by Jamf Threat Labsis the result of identifying a file universal binarytherefore active in the environment macOSwho communicated with a domain harmful until then unknown.
The binary file in question, named ProcessRequestattracted the attention of experts as the domain linked to it was similar to others previously involved in various malware campaigns.
The Jamf researcher Ferdous Saljooki stated that the activity identified is in line with the campaign Rust bucket, attributed to the same North Korean hacking group behind ObjCShellz. In this context, the APT group pretends to be an investor or similar figure to make potential victims lower their guard.
ObjCShellz: How does this fearsome malware spread?
The malicious domain was registered in May 2023 and linked to a IP address specific. Although various URLs were used for malware communication, the command and control (C2) server was unresponsive and eventually went offline after analysis.
In the classification documentation, Saljooki explained that the malware is written in Objective-C and works as a simple remote shell, executing shell commands sent by the attacker’s server.
The malware communicates with the C2 server using a message POST to a specific URL, gathering information about the infected macOS system and creating one user-agent for communication.
Noteworthy is the ability of the ObjCShellz malware to execute commands, as it allows the attacker to have total remote control over compromised systems.
For Saljooki “Although quite simple, this malware is still very functional and will help attackers achieve their goals. This appears to be a theme related to the latest malware we’ve seen coming from this APT group“.
The same researcher then clarified how “Based on previous attacks performed by BlueNoroff, we suspect that this malware was an advanced stage of a multi-stage malware distributed via social engineering techniques“.
