Cybersecurity researchers have recently uncovered a new macOS malware strain known as ObjCShellz, attributed to the North Korea-linked nation-state group, BlueNoroff. This group has a history of engaging in five ransomware-as-a-service (RaaS) programs over the past four years, highlighting the severity of the cybersecurity threat. In this article, we will delve into the details of ObjCShellz, its association with the RustBucket malware campaign, and the broader activities of the BlueNoroff group.
ObjCShellz and RustBucket Malware Campaign
ObjCShellz is identified as a component of the RustBucket malware campaign, which gained attention in the cybersecurity community earlier this year. Researchers from Jamf Threat Labs have disclosed information about ObjCShellz, shedding light on its role in this sophisticated malware campaign orchestrated by BlueNoroff.
BlueNoroff: A Subgroup of Lazarus Group
Operating under various aliases, including APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, BlueNoroff is a subgroup of the notorious Lazarus Group. BlueNoroff is known for its involvement in financial crimes, with a specific focus on targeting banks and the cryptocurrency sector. Their primary objective is to circumvent sanctions and generate illicit profits for the North Korean regime.
ObjCShellz: A Simple Yet Potent Remote Shell
ObjCShellz is coded in Objective-C and functions as a remote shell capable of executing commands sent from the attacker’s server. Despite its apparent simplicity, this malware serves as a late-stage component within a multi-stage attack, often delivered through social engineering tactics.
Possible Targets and Modus Operandi
While the specific targets of ObjCShellz remain undisclosed, the malware’s functionalities suggest a probable focus on companies within the cryptocurrency industry or closely associated sectors. BlueNoroff’s intricate campaigns often lure victims with promises of investment advice or job opportunities before initiating the infection chain with a decoy document.
Collaborative Landscape of North Korea-Sponsored Groups
The revelation of ObjCShellz follows recent findings of the Lazarus Group’s use of another macOS malware, KANDYKORN, which was specifically targeting blockchain engineers. This interconnected nature of North Korea-sponsored groups, sharing tools and tactics, indicates a collaborative and evolving approach among them.
International Response to North Korea’s Cyber Activities
In response to the escalating cyber activities linked to North Korea, the United States, South Korea, and Japan have established a trilateral high-level cyber consultative group. The primary objective of this cooperative effort is to counter cyber activities that serve as a significant funding source for North Korea’s weapons development.
To remove ObjCShellz or similar malware from your macOS, follow these steps:
- Disconnect from the Internet: Disable your internet connection to prevent further communication between the malware and the attacker’s server.
- Back Up Your Data: Before taking any actions, ensure you have a backup of your important data to avoid data loss.
- Identify Malicious Processes: Use macOS utilities like Activity Monitor or Terminal to identify and terminate any suspicious processes related to the malware.
- Delete Malicious Files: Locate and delete the malicious files associated with ObjCShellz. These files may be in hidden folders or within system directories, so use caution.
- Reset Browsers: If your web browser settings were compromised, reset them to their default settings to remove any unwanted extensions or modifications.
- Install Antivirus Software: Install reputable antivirus software for macOS and run a full system scan to detect and remove any remaining malware or threats.
- Change Passwords: Change your passwords, especially for sensitive accounts, to prevent unauthorized access.
Safeguarding Your System
To protect your system from similar threats in the future:
- Keep Software Updated: Regularly update your macOS, applications, and security software to patch known vulnerabilities.
- Practice Safe Downloading: Only download software from trusted sources and avoid third-party or unverified websites.
- Enable Firewall: Activate the built-in firewall on your macOS for an added layer of protection.
- Exercise Caution with Email: Be wary of email attachments and links, especially from unknown or suspicious sources.
- Educate Yourself: Stay informed about the latest cybersecurity threats and best practices for online safety.
ObjCShellz, as part of the RustBucket malware campaign orchestrated by BlueNoroff, is the latest addition to North Korea’s evolving cyber threat landscape. The interconnected and collaborative nature of North Korea-sponsored groups underscores the need for international cooperation to counter the growing cyber threats emanating from the region. By following the removal guide and implementing preventive measures, you can enhance your cybersecurity and protect your system from persistent and sophisticated threat actors. Stay vigilant, stay secure.