- BlueNoroff seen targeting crypto businesses with new piece of malware
- The malware establishes persistence and opens up a back door
- It can download additional payloads, run Shell commands, and more
Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.
Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.
Usually, the group would “groom” their victims on social media, before deploying any malware. In this campaign, however, they’ve decided for a more direct approach.
Hidden Risk
As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.
The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.
The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named “Hidden Risk”.
The malware comes in multiple stages. The first stage is a dropper app, signed with a valid Apple Developer ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim busy while the second-stage payload is deployed in the background.
This payload is called “growth”, and its goal is to establish persistence and open up a back door to the infected device. It only works on macOS devices, running on Intel or Apple silicon, with the Rosetta emulation framework. The final stage is to check in with the C2 server for new commands every minute, which include downloading and running additional payloads, running shell commands, or terminating the process.
The campaign has been active for at least a year, the researchers said.
Via BleepingComputer
English