Experts have discovered a new malware variant that targets Apple’s macOS devices.
Greg Lesnewich, Senior Threat Researcher at Proofpoint, analyzed and discussed the new virus in a technical writeup published on his personal blog earlier this month. He said the malware is called SpectralBlur, and described it as a “moderately capable” piece of code.
The new macOS malware is capable of downloading, uploading, and deleting files, as well as running shell commands and entering sleep and hibernate modes, according to Lesnewich.
The sample was first uploaded to VirusTotal in August last year, but it stayed hidden from antivirus engines and researchers only noticed it last week.
Lesnewich made the connection using KANDYKORN (also known as SockRacket), a malware that had been previously identified as part of BlueNoroff’s arsenal. KANDYKORN is specifically described as a remote access trojan, which allows for the takeover of compromised endpoints.
Objective-See’s security researcher Patrick Wardle also looked at SpectralBlur. According to him, when activated, the malware triggers a function designed to decrypt and encrypt its configuration and network communications. Following this, it takes a range of measures intended to obstruct analysis and evade detection.
Wardle explained that the virus uses a pseudo-terminal to carry out shell commands from the command and control center (C&C). He believes it’s specifically programmed to delete files after accessing them by replacing their contents with zeros.
It’s believed that the malware was designed by a sub-group of Lazarus, an infamous state-sponsored threat actor from North Korea. The group gained notoriety for its focus on cryptocurrency businesses, particularly those involved in developing “bridge” projects. Each cryptocurrency operates on its own blockchain and these “bridges” were created by developers to enable interactions between different blockchains. Although they’re often audited by independent security forms, they still contain critical vulnerabilities, which opens the door for malicious actors.