New BlueNoroff Malware Variant Targets Cryptocurrency Exchanges
Security researchers have uncovered a new malware variant believed to be associated with the BlueNoroff Advanced Persistent Threat (APT) group.
BlueNoroff is known for its financially motivated campaigns, often targeting cryptocurrency exchanges, venture capital firms and banks. Writing in an advisory published today, Jamf Threat Labs said the discovery came during routine threat hunting, where the team found a Mach-O universal binary communicating with a previously identified malicious domain.
The standalone binary, named “ProcessRequest,” has drawn attention due to its interaction with a previously flagged domain. Notably, a legitimate cryptocurrency exchange operates under a similar domain, further increasing concerns.
Jamf researcher Ferdous Saljooki said the activity aligns with BlueNoroff’s Rustbucket campaign, where the APT group disguises itself as an investor or headhunter to gain access to its targets.
Read more on BlueNoroff: “Mysterious Elephant” Emerges, Kaspersky Reports
The malicious domain was registered in May 2023 and resolved to a specific IP address. While various URLs were used for malware communication, the command-and-control (C2) server remained unresponsive, ultimately going offline after their analysis.
In the technical write-up, Saljooki explained the malware is written in Objective-C and functions as a simple remote shell, executing shell commands sent from the attacker server.
Though the initial access method remains unclear, it appears to be used in later stages to manually run commands after compromising a system. The malware, dubbed ObjCShellz, communicates with the C2 server using a POST message to a specific URL, gathering information about the infected macOS system and creating a user-agent for the communication.
The malware’s ability to execute commands is noteworthy, as it allows the attacker to have remote control over compromised systems.
“Although fairly simple, this malware is still very functional and will help attackers carry out their objectives. This seems to be a theme with the latest malware we’ve seen coming from this APT group,” Saljooki wrote.
“Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering.”