Cybersecurity researchers have discovered a new Apple macOS backdoor called Spectral blur The malware overlaps with known malware families operated by North Korean threat actors.
“SpectralBlur is a moderately functional backdoor that can upload/download files, execute a shell, update its configuration, delete files, hibernate or sleep based on commands issued from the computer. [command-and-control] server,” said security researcher Greg Lesnewich.
The malware bears similarities to KANDYKORN (also known as SockRacket), an advanced implant that acts as a remote access Trojan capable of taking control of an infected host.
Notably, the KANDYKORN campaign also intersected with another campaign orchestrated by the Lazarus subgroup BlueNoroff (also known as TA444), which ultimately deployed a backdoor named RustBucket and a post-production payload named ObjCShellz.
In recent months, we have observed threat actors combining different parts of these two infection chains to leverage RustBucket droppers to spread KANDYKORN.
The latest findings are another sign that North Korean threat actors are increasingly looking to macOS to infiltrate high-value targets, particularly within the cryptocurrency and blockchain industries.
“TA444 continues to operate fast and furious in these new macOS malware families,” Lesnewich said.
Security researcher Patrick Wardle shared additional insights into the inner workings of SpectralBlur, saying that the Mach-O binary was uploaded to the VirusTotal malware scanning service from Colombia in August 2023.
The functional similarities between KANDYKORN and SpectralBlur raise the possibility that they may have been built by different developers with the same needs in mind.
This malware is notable because it attempts to hinder analysis and evade detection when it uses grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.
This revelation comes as a total of 21 new malware families were discovered targeting macOS systems in 2023, including ransomware, information stealers, remote access Trojans and state-sponsored malware. Malware families discovered in 2022 for 13.
“As macOS continues to grow and become more popular (especially in the enterprise!), 2024 is sure to bring a lot of new macOS malware,” Wardle noted.
