- BlueNoroff is a cybercriminal group believed to be connected to the North Korean government
- Security experts found a Mach-O universal binary communicating with a malicious domain
- The malware disguises itself as a recruiter or investor to gain access to its targets
Security researchers have found a new malware thought to be linked to the BlueNoroff Advanced Persistent Threat (APT) group, Infosecurity Magazine wrote. The malware tends to be financially motivated, mainly aimed at banks, VC firms, crypto exchanges, and other financial platforms.
Why is BlueNoroff dangerous?
BlueNoroff is a term that is often used to refer to a specific cybercriminal group or threat actor associated with North Korea. It is one of several cybercriminal groups believed to be connected to the North Korean government and is known for conducting cyberattacks for various purposes, including financial gain and espionage.
Cybersecurity researchers and experts have identified and tracked the activities of BlueNoroff and have linked it to various high-profile cyber incidents. The group is believed to be part of the broader North Korean cyber threat landscape, which includes other groups, like Lazarus.
A legit exchange operates under a similar domain
Infosecurity Magazine cites a document by industry experts Jamf Threat Labs, who made the discovery during a routine security inspection. Jamf found a Mach-O universal binary communicating with a previously identified malicious domain.
ProcessRequest, the standalone binary, drew attention because of this communication. A legitimate cryptocurrency exchange operates under a similar domain, giving even more cause for concern.
The malware gains remote control of systems
According to Jamf researcher Ferdous Saljooki, cited by Infosecurity, the operation is akin to BlueNoroff’s Rustbucket campaign, where the APT group disguises itself as a recruiter or investor to gain access to its targets.
Cybercriminals registered the malicious domain in May 2023. After a security analysis, their command-and-control (C2) server went offline. The malware operates as a simple remote shell, executing shell commands that the server sends. It executes commands manually after a system is compromised.
Its ability to do this is worrying because it enables the assailant to control the hacked systems remotely. According to Saljooki, the malware was a late stage incidence within a multi-stage malware set generated via social engineering.