Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

Pierluigi Paganini January 06, 2024

Researchers discovered a macOS backdoor, called SpectralBlur, which shows similarities with a North Korean APT’s malware family.

Security researcher Greg Lesnewich discovered a backdoor, called SpectralBlur, that targets Apple macOS. The backdoor shows similarities with the malware family KANDYKORN (aka SockRacket), which was attributed to the North Korea-linked Lazarus sub-group known as BlueNoroff (aka TA444).

KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” notes Elastic Security, which identified and analyzed the threat.” reads the report published by Elastic.

SpectralBlur is not a sophisticated malware, it supports ordinary backdoor capabilities, including uploading/downloading files, running a shell, updating its configuration, deleting files, hibernating or sleeping, based on commands issued from the C2.

“TA444 keeps running fast and furious with these new MacOS malware families. Looking for similar strings lead us to link SpectralBlur and KandyKorn (which were further linked to TA444 after more samples turned up, and eventually, a phishing campaign hit our visibility that pulled down KandyKorn).” concludes Lesnewich. “So knowing your Macho stuff will help track emerging DPRK capability if that is your interest!”

The latest discovery confirms the great interest of North Korea-linked threat actors in developing macOS malware to employ in targeted attacks.

In November 2023, researchers from Jamf Threat Labs discovered a new macOS malware strain dubbed ObjCShellz and attributed it to North Korea-linked APT BlueNoroff.

The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff APT group.

In July 2023, researchers from the Elastic Security Labs spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using a new macOS malware, dubbed RustBucket.

Follow me on Twitter: @securityaffairs and Faceboo and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpectralBlur)

you might also like

leave a comment