SpectralBlur: A New macOS Backdoor Linked to North Korean Threat Actors

In a recent discovery, cybersecurity researchers have identified a new Apple macOS backdoor named SpectralBlur. This backdoor exhibits characteristics overlapping with a known malware family attributed to North Korean threat actors. SpectralBlur shares similarities with KANDYKORN, a sophisticated implant functioning as a remote access trojan associated with the Lazarus sub-group known as BlueNoroff.

SpectralBlur

SpectralBlur is described as a moderately capable backdoor with the ability to upload/download files, run a shell, update configurations, delete files, hibernate, and sleep. Security researcher Greg Lesnewich emphasizes that the malware operates based on commands issued from its command-and-control server.

Capabilities:

SpectralBlur is a moderately capable backdoor capable of uploading/downloading files, running a shell, updating configurations, deleting files, hibernating, or sleeping based on commands from the command-and-control server.

Connection to KANDYKORN and BlueNoroff:

The malware’s characteristics overlap with KANDYKORN (aka SockRacket), an advanced implant functioning as a remote access trojan. KANDYKORN is associated with the Lazarus sub-group known as BlueNoroff (aka TA444). Notably, TA444 has been observed combining elements from different infection chains, deploying RustBucket droppers to deliver KANDYKORN.

SpectralBlur’s Development and Geographic Origin:

Security researcher Patrick Wardle shared insights into SpectralBlur’s inner workings, revealing that the Mach-O binary was uploaded to VirusTotal from Colombia in August 2023. The functional similarities between SpectralBlur and KANDYKORN raise the possibility that they may have been developed by different individuals with similar objectives.

Distinctive Features of SpectralBlur:

What sets SpectralBlur apart is its deliberate attempts to hinder analysis and evade detection. The malware utilizes grantpt to set up a pseudo-terminal, executing shell commands received from the command-and-control server. This sophisticated evasion technique adds a layer of complexity for security analysts.

North Korean Interest in macOS

Targeting High-Value Sectors:

The findings emphasize a growing interest among North Korean threat actors in macOS, particularly targeting high-value sectors such as cryptocurrency and blockchain industries.

Persistent Threat Actor (TA444):

The Lazarus sub-group, TA444, continues its activities with new macOS malware families, showcasing a persistent and evolving threat landscape.

Insights into SpectralBlur

Upload Source and Date:

The Mach-O binary of SpectralBlur was uploaded to VirusTotal from Colombia in August 2023.

Analysis Evasion Techniques:

SpectralBlur attempts to hinder analysis and evade detection, utilizing grantpt to set up a pseudo-terminal and execute shell commands received from the command-and-control server.

Mac Threat Landscape

  • Increasing macOS Malware Families: In 2023, a total of 21 new macOS malware families were discovered, including ransomware, information stealers, remote access trojans, and nation-state-backed malware. This is an increase from the 13 identified in 2022.
  • Implement Endpoint Protection: Utilize robust endpoint protection solutions to detect and prevent the execution of malware.
  • User Training and Awareness: Conduct user training on identifying phishing attempts and suspicious activities to prevent initial compromise.
  • Network Monitoring: Implement network monitoring tools to detect unusual traffic patterns and connections to known malicious domains.
  • Behavioral Analysis: Employ behavioral analysis tools to identify and block abnormal activities indicative of malware.
  • Collaborate and Share Threat Intelligence: Engage in information-sharing initiatives within the industry to stay updated on emerging threats.