BlueNoroff strikes again with new macOS malware
Contents
Jamf Threat Labs discovered a new later-stage malware variant from BlueNoroff that shares characteristics with their RustBucket campaign. Read this blog to learn more about this malware and view the indicators of compromise.
Research led by Ferdous Saljooki.
Background
Jamf Threat Labs has identified a new malware variant attributed to the BlueNoroff APT group. BlueNoroff’s campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and banks. During our routine threat hunting, we discovered a Mach-O universal binary communicating with a domain that Jamf has previously classified as malicious. This executable was undetected on VirusTotal at the time of our analysis, piquing our interest.
SHA1: 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
The standalone binary, labeled ProcessRequest, is ad-hoc signed and has been observed communicating with the domain swissborg[.]blog. This raised suspicions, especially since a legitimate cryptocurrency exchange exists operating under the domain swissborg.com, where they host a legitimate blog at the URL swissborg.com/blog. The malware splits the command and …
Research led by Ferdous Saljooki.
Background
Jamf Threat Labs has identified a new malware variant attributed to the BlueNoroff APT group. BlueNoroff’s campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and banks. During our routine threat hunting, we discovered a Mach-O universal binary communicating with a domain that Jamf has previously classified as malicious. This executable was undetected on VirusTotal at the time of our analysis, piquing our interest.
SHA1: 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
The standalone binary, labeled ProcessRequest, is ad-hoc signed and has been observed communicating with the domain swissborg[.]blog. This raised suspicions, especially since a legitimate cryptocurrency exchange exists operating under the domain swissborg.com, where they host a legitimate blog at the URL swissborg.com/blog. The malware splits the command and …
IoC
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
http://104.168.214.151
http://swissborg.blog
http://swissborg.blog/zxcv/bnm
http://104.168.214.151
http://swissborg.blog
http://swissborg.blog/zxcv/bnm