Everyday is lazarus.dayβ

Analyzing DPRK's SpectralBlur

2024-01-04, Objective-see
#SpectralBlur #BlueNoroff #macOS


As ‘Sharing is Caring’ I’ve uploaded a sample of the malware to our public macOS malware collection. The password is: infect3d
Not three days into 2024 Greg Lesnewich tweeted the following:
#100DaysofYARA day 03 - talking SpectralBlur, a MacOS (and other OS 🤫) backdoor linked to TA444/Bluenoroff, that I suspect is a cousin of the KandyKorn family our pals at Elastic found!— Greg Lesnewich (@greglesnewich) January 3, 2024
In both his twitter (err, X) thread and in a subsequent posting he provided a comprehensive background and triage of the malware dubbed
SpectralBlur. In terms of its capabilities he noted:
SpectralBlur is a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2. -Greg
He also pointed out similarities to/overlaps with the DPRK malware known as
KandyKorn (that we covered in our “Mac Malware of 2024” report), while also pointing …