Security researchers have discovered a new malware variant that is believed to be associated with the Bluenoroff Advanced Persistente Threat (APT) group.
Bluenoroff is known for its financially motivated campaigns, often aimed at cryptocurrency exchanges, risk capital companies and banks. Jamf Threat Labs wrote in an advice that was published today and said that the discovery came during the hunt for routine threats, where the team found a Mach-o-o universal binary communication with an previously identified malignant domain.
The independent binary, called “Processrequest” has attracted attention because of the interaction with a previously marked domain. It is remarkable that a legitimate cryptocurrency exchange works under a similar domain, which further increases the concerns.
Jamf researcher Ferdous Saljooki said the activity is in line with Bluenoroff’s resting bucket campaign, where the APT group disguises as an investor or headhunter to gain access to his goals.
Read more about Bluenoroff: “Mysterious Elephant” arises, Kaspersky reports
The malignant domain was registered in May 2023 and resolved to a specific IP address. Although various URLs were used for malware communication, the command-and-control (C2) server did not respond and eventually went offline after their analysis.
In the technical description, Saljooki explained that the malware is written in Objective-C and functions as a simple external Shell, who perform Shell assignments that were sent from the attacker server.
Although the initial access method remains unclear, it seems to be used in later phases to manually perform commands after endangering a system. The malware, called Objcshellz, communicates with the C2 server using a message message to a specific URL, collecting information about the infected macOS system and making a user agent for communication.
The ability of the malware to carry out assignments is remarkable because it enables the attacker to have remote control over compromised systems.
“Although fairly simple, this malware is still very functional and attackers will help to perform their objectives. This seems to be a theme with the latest malware we have seen from this APT group,” Saljooki wrote.
“Based on earlier attacks carried out by Bluenoroff, we suspect that this malware was a late phase in a multi-phase malware that was supplied through social engineering.”