TA444 [1] [3] [6] [7], a North Korean state-backed threat actor [6], has recently developed a new Apple macOS backdoor called SpectralBlur. This backdoor is part of a series of proprietary malware created by TA444 [6], a sub-group of Lazarus known as BlueNoroff. SpectralBlur is a moderately capable backdoor that can perform various functions [6], such as uploading and downloading files [6], running a shell [6], updating its configuration [5] [6], deleting files [2] [5] [6], hibernating [6], or sleeping [6]. It was first observed in August 2023 and is considered the “first malware of 2024.” SpectralBlur [2] [3] [4] [5] [6] [7] communicates with a remote command-and-control server using encrypted communications and utilizes pseudo-terminals to execute shell commands.
Description
SpectralBlur, developed by TA444, is a new Apple macOS backdoor that overlaps with a known malware family attributed to North Korean threat actors and shares similarities with KANDYKORN [3] [7], an advanced implant functioning as a remote access trojan [3] [4] [7]. It is part of a series of proprietary malware created by TA444 [6], a sub-group of Lazarus known as BlueNoroff. SpectralBlur is a moderately capable backdoor that can perform various functions [6], such as uploading and downloading files [6], running a shell [6], updating its configuration [5] [6], deleting files [2] [5] [6], hibernating [6], or sleeping [6]. It was first observed in August 2023 and characterized as the “first malware of 2024.”
SpectralBlur communicates with a remote command-and-control server using encrypted communications and utilizes pseudo-terminals to execute shell commands. It attempts to hinder analysis and evade detection by using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server [4] [7]. SpectralBlur shares similarities with the Lazarus Group’s KANDYKORN malware [5], including the use of RC4 encryption and similar backdoor capabilities [5]. However, SpectralBlur also has its own unique characteristics [5].
Currently, SpectralBlur is not flagged as malicious by antivirus engines [5]. This discovery indicates that North Korean threat actors are increasingly targeting macOS to infiltrate high-value targets [3] [4] [7], particularly in the cryptocurrency and blockchain industries [1] [3] [4] [7]. TA444 [1] [3] [6] [7], a group that continues to develop new macOS malware families [1], is at the forefront of this trend. Additionally, researchers have found that a total of 21 new malware families targeting macOS systems were discovered in 2023, including ransomware [7], information stealers [7], remote access trojans [3] [4] [7], and nation-state-backed malware [7].
Security researchers Greg Lesnewich and Patrick Wardle have recently analyzed SpectralBlur and found that it was first submitted to VirusTotal in August 2023 but went unnoticed until now. They believe that SpectralBlur is another addition to Lazarus’ arsenal of macOS backdoors [2]. Lesnewich and Wardle have also discovered that SpectralBlur incorporates standard capabilities associated with backdoors [2], such as file upload/download [2], file deletion [2], shell execution [2], configuration updates [2] [5], and sleep/hibernate capabilities [2]. The backdoor communicates with a command-and-control server through encrypted sockets [2]. While SpectralBlur shares similarities with the KandyKorn backdoor used by Lazarus [2], it is believed to be developed by a different entity. Lesnewich and Wardle have observed that SpectralBlur uses a pseudo-terminal to execute shell commands and can delete files by overwriting their content with zeros.
Conclusion
The discovery of SpectralBlur highlights the increasing focus of North Korean threat actors on targeting macOS systems, particularly in the cryptocurrency and blockchain industries [1] [3] [4] [7]. TA444 [1] [3] [6] [7], the group behind SpectralBlur [6], is actively developing new macOS malware families [1], indicating a concerning trend. Furthermore, the finding that SpectralBlur is not currently detected by antivirus engines raises concerns about the effectiveness of existing security measures.
The analysis conducted by researchers Greg Lesnewich and Patrick Wardle sheds light on the capabilities and characteristics of SpectralBlur. Their findings suggest that SpectralBlur is another addition to Lazarus’ arsenal of macOS backdoors [2], although it is believed to be developed by a different entity. The use of encrypted communications and pseudo-terminals by SpectralBlur demonstrates the sophistication and evasive techniques employed by these threat actors.
Given the continuous development of new macOS malware families and the increasing sophistication of these threats, it is crucial for organizations, especially those in high-value industries, to remain vigilant and implement robust security measures. Ongoing research and collaboration among security experts are essential to stay ahead of these evolving threats and protect against potential infiltrations.
References
[1] https://www.443news.com/2024/01/new-macos-backdoor-threat-from-north-korean-hackers/
[2] https://firsthackersnews.com/spectralblur-macos-backdoor/
[3] https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.html
[4] https://techinvestornews.io/2024/01/05/spectralblur-new-macos-backdoor-threat-from-north-korean-hackers/
[5] https://www.scmagazine.com/news/new-macos-malware-spectralblur-idd-as-north-korean-backdoor
[6] https://www.darkreading.com/threat-intelligence/north-korea-debuts-spectralblur-malware-amid-macos-onslaught
[7] https://www.redpacketsecurity.com/spectralblur-new-macos-backdoor-threat-from-north-korean-hackers/
