Cyber security researchers they discovered a new backdoor for Apple called macOS SpectralBlur, which presents many similarities with a well-known family of malware attributed to a well-known hacker group from North Korea, known as the Lazarus Group (or Lazarus group), already known in the past for various hacker attacks on different countries and organizations.
What is known about SpectralBlur
“SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued by the command and control server,” has declared security researcher Greg Lesnewich.
The malware has similarities with KANDYKORN (aka SockRacket), an advanced implant that acts as a remote access Trojan capable of taking control of a compromised host.
It is important to note that KANDYKORN's activity also overlaps with another campaign orchestrated by the Lazarus subgroup known as BlueNoroff (aka TA444), culminating in the release of a backdoor called RustBucket and a named late-stage payload ObjCShellz.
In recent months, cyber criminals have been observed combine the most disparate means of these two infection chains, leveraging RustBucket dropper to distribute KANDYKORN.
The latest findings are another sign that North Korean cybercriminals are increasingly targeting macOS to infiltrate high-value targets,n particular those in the sectors of cryptocurrencies and blockchain technologies.
“TA444 continues to move fast and furious with these new macOS malware families” Lesnewich said.
Security researcher Patrick Wardle, who shared further details on the internal dynamics of SpectralBlur, stated that the Mach-O binary has been uploaded to the service of VirusTotal malware scan in August 2023 from Colombia.
The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been developed by different creators who had the same requirements in mind.
What makes the malware unique are its attempts to hinder analysis and evade detection using grantpt to set up a pseudoterminal and execute shell commands received from the C2 server.
The disclosure comes as a total of 21 new malware families designed to target macOS systems have been discovered, including ransomware, information stealersremote access Trojans and state-supported malware, in 2023, up from 13 identified in 2022.
“As macOS continues to grow and become popular (especially in the enterprise!), 2024 will definitely bring a slew of new malware for macOS” concluded Wardle.
Insight: Why macOS isn't as secure as it used to be
The increase in cyber threats targeting macOS indicates a significant change in the perception of its security; in the pastmacOS operating systems were often considered more secure than their Windows counterparts, mainly due to their Unix-like structure and Apple's application approval policy.
However, recently, there has been increasing attention from cybercriminals towards macOS, with an increase in malware discoveries targeting this platform.
This can be attributed to several factors, including the rise in popularity of macOS, especially in the enterprise space, making it a more attractive target for hackers; furthermore, the widespread perception of a presumed invulnerability of macOS may have led to less attention from users and software developers to security, therefore this change of scenario calls for a review of security practices for macOS users, who must now be aware of the growing risks and take proactive measures to protect their systems.
Furthermore, the approach of malware developers, as highlighted by the SpectralBlur case, demonstrates increasing sophistication in creating backdoors and Trojans for macOS; the use of advanced techniques, such as configuring pseudoterminals to execute shell commands, highlights the need for constant vigilance and updates in defending against cyber threats and therefore the users and companies th
at use macOS they should be aware of this changing scenario and adopt more robust security measures to protect their data and online operations.
#SpectralBlur #macOS #backdoor #Lazarus #group
