BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence
Contents
Executive Summary
- SentinelLabs has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel multi-stage malware.
- We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.
- SentinelLabs observed the use of a novel persistence mechanism abusing the Zsh configuration file
zshenv
. - The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file.
Overview
Cryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the …
- SentinelLabs has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel multi-stage malware.
- We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.
- SentinelLabs observed the use of a novel persistence mechanism abusing the Zsh configuration file
zshenv
. - The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file.
Overview
Cryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the …
IoC
http://www.delphidigital.org
http://panda95sg.asia
7e07765bf8ee2d0b2233039623016d6dfb610a6d
http://sendmailed.com
http://dourolab.xyz
05c178891ca1e65af53bbcfdbec573da3f74d176
http://happyz.one
http://delphidigital.org
http://maelstroms.fund
http://meeting.sellinicapital.com
http://xu10.1056.uk
http://evalaskatours.com
23.254.253.75
http://www.huspot.blog
http://meet.hananetwork.video
http://online.zoom-client.com
http://analysis.arkinvst.com
http://maelstromfund.org
http://www.maelstromfund.org
baf4da6b89b7d7cbf24c9deef5984ef9dfd52e6a
http://www.sendmailed.com
http://arkinvst.com
144.172.74.141
http://www.happyz.one
http://www.buy2x.com
http://www.panda95sg.asia
172.86.108.47
http://selinicapital.online
http://presentations.life
http://matuaner.com
http://shh5.baranftw.xyz
http://172.86.108.47
http://selinicapital.network
http://mc.tvdhoenn.net
http://calendly.caladan.video
http://online.selinicapital.info
http://appleaccess.pro
144.172.74.23
http://meeting.zoom-client.com
http://45.61.135.105
http://kalpadvisory.com
http://meet.sellinicapital.com
http://info.ankanimatoka.com
216.107.136.10
45.61.140.26
http://meet.selinicapital.info
http://selinicapital.info
45.61.135.105
http://www.sendmailer.org
http://www.sellinicapital.com
http://www.yoannturp.xyz
http://doc.solanalab.org
http://versionupdate.dns.army
http://meet.selinicapital.online
http://selincapital.com
45.61.128.122
http://meet.selinicapital.xyz
http://zoom-client.com
http://meet.caladangroup.xyz
http://drogueriasanjose.net
http://cardiagnostic.net
http://mg21.1056.uk
http://hwsrv-1225327.hostwindsdns.com
http://atajerefoods.com
http://sellinicapital.com
http://edwardcaputo.shop
http://cmt.ventures
http://info.customer-app.xyz
http://customer-app.xyz
http://kevinaraujo.shop
http://tvdhoenn.net
http://www.frameworks.ventures
http://verify.selinicapital.info
e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb
http://sendmailer.org
http://pixelmonmmo.net
3f17c5a7d1e7fd138163d8039e614b8a967a56cb
http://community.edwardcaputo.shop
http://meet.caladan.video
http://community.kevinaraujo.shop
http://community.selincapital.com
http://www.prismlab.xyz
http://buy2x.com
http://email.sellinicapital.com
http://panda95sg.asia
7e07765bf8ee2d0b2233039623016d6dfb610a6d
http://sendmailed.com
http://dourolab.xyz
05c178891ca1e65af53bbcfdbec573da3f74d176
http://happyz.one
http://delphidigital.org
http://maelstroms.fund
http://meeting.sellinicapital.com
http://xu10.1056.uk
http://evalaskatours.com
23.254.253.75
http://www.huspot.blog
http://meet.hananetwork.video
http://online.zoom-client.com
http://analysis.arkinvst.com
http://maelstromfund.org
http://www.maelstromfund.org
baf4da6b89b7d7cbf24c9deef5984ef9dfd52e6a
http://www.sendmailed.com
http://arkinvst.com
144.172.74.141
http://www.happyz.one
http://www.buy2x.com
http://www.panda95sg.asia
172.86.108.47
http://selinicapital.online
http://presentations.life
http://matuaner.com
http://shh5.baranftw.xyz
http://172.86.108.47
http://selinicapital.network
http://mc.tvdhoenn.net
http://calendly.caladan.video
http://online.selinicapital.info
http://appleaccess.pro
144.172.74.23
http://meeting.zoom-client.com
http://45.61.135.105
http://kalpadvisory.com
http://meet.sellinicapital.com
http://info.ankanimatoka.com
216.107.136.10
45.61.140.26
http://meet.selinicapital.info
http://selinicapital.info
45.61.135.105
http://www.sendmailer.org
http://www.sellinicapital.com
http://www.yoannturp.xyz
http://doc.solanalab.org
http://versionupdate.dns.army
http://meet.selinicapital.online
http://selincapital.com
45.61.128.122
http://meet.selinicapital.xyz
http://zoom-client.com
http://meet.caladangroup.xyz
http://drogueriasanjose.net
http://cardiagnostic.net
http://mg21.1056.uk
http://hwsrv-1225327.hostwindsdns.com
http://atajerefoods.com
http://sellinicapital.com
http://edwardcaputo.shop
http://cmt.ventures
http://info.customer-app.xyz
http://customer-app.xyz
http://kevinaraujo.shop
http://tvdhoenn.net
http://www.frameworks.ventures
http://verify.selinicapital.info
e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb
http://sendmailer.org
http://pixelmonmmo.net
3f17c5a7d1e7fd138163d8039e614b8a967a56cb
http://community.edwardcaputo.shop
http://meet.caladan.video
http://community.kevinaraujo.shop
http://community.selincapital.com
http://www.prismlab.xyz
http://buy2x.com
http://email.sellinicapital.com