New macOS Backdoor Linked to North Korea Emerges

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

Experts have discovered a new malware variant that targets Apple’s macOS devices.

Greg Lesnewich, Senior Threat Researcher at Proofpoint, analyzed and discussed the new virus in a technical writeup published on his personal blog earlier this month. He said the malware is called SpectralBlur, and described it as a “moderately capable” piece of code.

The new macOS malware is capable of downloading, uploading, and deleting files, as well as running shell commands and entering sleep and hibernate modes, according to Lesnewich.

The sample was first uploaded to VirusTotal in August last year, but it stayed hidden from antivirus engines and researchers only noticed it last week.

Lesnewich made the connection using KANDYKORN (also known as SockRacket), a malware that had been previously identified as part of BlueNoroff’s arsenal. KANDYKORN is specifically described as a remote access trojan, which allows for the takeover of compromised endpoints.

Objective-See’s security researcher Patrick Wardle also looked at SpectralBlur. According to him, when activated, the malware triggers a function designed to decrypt and encrypt its configuration and network communications. Following this, it takes a range of measures intended to obstruct analysis and evade detection.

Wardle explained that the virus uses a pseudo-terminal to carry out shell commands from the command and control center (C&C). He believes it’s specifically programmed to delete files after accessing them by replacing their contents with zeros.

It’s believed that the malware was designed by a sub-group of Lazarus, an infamous state-sponsored threat actor from North Korea. The group gained notoriety for its focus on cryptocurrency businesses, particularly those involved in developing “bridge” projects. Each cryptocurrency operates on its own blockchain and these “bridges” were created by developers to enable interactions between different blockchains. Although they’re often audited by independent security forms, they still contain critical vulnerabilities, which opens the door for malicious actors.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment