Jamf Threat Labs has discovered a new malware strain that appears to be connected to BlueNoroff, a group that often attacks businesses in the financial sector.
The discovery came about during Jamf's regular security checks. They found software for Mac computers secretly connecting to a known malicious internet domain, although Jamf didn't mention a particular program that Mac users should be aware of.
What made the find particularly intriguing was that this software was not recognized as a threat by VirusTotal, a popular website used to check suspicious files, at the time of uploading by Jamf.
The program is cleverly disguised, using a digital signature that initially appears legitimate. It communicates with a server that, while appearing to be associated with a legitimate cryptocurrency platform, is controlled by the attackers.
BlueNoroff signature move
The method of operation aligns with the BlueNoroff group's established strategies. These typically involve creating counterfeit domains that mirror reputable companies, which helps them evade detection and entice their targets.
The fraudulent domain was set up in late May 2023, and the malware uses it to send and receive information. Jamf's analysis revealed that while they were investigating, the server behind the domain stopped responding, possibly because the attackers became aware of the scrutiny.
Further analysis by Jamf indicated that the malware was designed using Objective-C, a programming language used for Mac software. The malware acts like a remote control for the infected computer, allowing the attackers to send commands and control the system after they have breached it.
Upon activation, the malware sends a signal to the attacker-controlled domain, disguising its communications as regular internet traffic. It also collects and sends information about the infected computer, such as the version of the macOS operating system it is running.
Despite its simplicity, the malware is effective and aligns with BlueNoroff's approach of using straightforward tools to infiltrate and manipulate compromised systems. Jamf has named this particular threat "ObjCShellz" and considers it a part of the larger RustBucket campaign, which tracks the activities of BlueNoroff.
How Mac users can protect themselves from ObjCShellz
Mac users can protect themselves from malware by keeping their operating systems and apps updated. It's important to download apps from reputable sources like the Mac App Store or the developers' websites.
Being cautious with email attachments and links, using the built-in firewall, and only installing apps from the Mac App Store or recognized developers can also help. Regular backups, strong, unique passwords managed by a password manager, and staying alert for signs of phishing are crucial.
Finally, monitoring financial accounts for unauthorized transactions can detect potential breaches early.