Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain ( The attackers created a fake crypto exchange website on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their blog post.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives. has observed a continuous surge in attacks against macOS devices and BlueNoroff’s activities. Earlier in November, Elastic Security Labs detected Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers discovered that threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based Menlo Security browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider Coalfire’s vice president Andrew Baratt told that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

  1. MacStealer: A New Malware Targeting macOS Catalina Devices
  2. New macOS malware XcodeSpy found sneaking into spy on victims
  3. Linux, Windows and macOS Hit By New “Alchimist” Attack Framework
  4. Researchers Leverage ChatGPT to Expose Notorious macOS Malware
  5. UpdateAgent malware variant impersonates legitimate macOS software
Related Posts