HQ/EMEAFind out how we can help your business
A newly discovered macOS backdoor named SpectralBlur has recently emerged in the cybercriminal landscape.
Based on reports, it resembles the notorious KANDYKORN malware, another malware also created by North Korean threat actors. A researcher described SpectralBlur as a moderately capable backdoor with multiple functionalities, such as file upload/download, shell execution, configuration updates, file deletion, hibernation, and sleep commands. The malware operators execute these features from a command-and-control server.
KANDYKORN is an advanced implant that operates as a remote access trojan, granting complete control over compromised hosts. Notably, KANDYKORN allegedly came from a Lazarus sub-group, BlueNoroff (aka TA444), whose operations involve the deployment of a backdoor called RustBucket and a late-stage payload named ObjCShellz.
Recent observations claim North Korean threat actors combine elements from these infection chains, using RustBucket droppers to deliver KANDYKORN.
North Korean hackers’ focus on macOS, particularly on infiltrating high-value targets within the cryptocurrency and blockchain industries, is evidence of the development of these new malware strains.
More research provided additional insights into SpectralBlur.
According to separate research, the Mach-O binary of SpectralBlur was uploaded to the VirusTotal malware scanning service from Colombia in August 2023. Notably, the functional similarities between SpectralBlur and KANDYKORN have raised questions about the possibility of different developers developing them to meet identical requirements.
However, what sets SpectralBlur apart is its sophisticated evasion techniques that could hinder analysis and detection. The malware utilises grantpt to establish a pseudo-terminal, initiating shell commands received from the C2 server. This complexity in the design shows how the threat actors put effort into remaining undetected and maximise their effectiveness.
The disclosure of SpectralBlur arrived at a time when macOS faced an increasing onslaught of threats. Last year, 21 new malware families targeted macOS systems, including ransomware, information stealers, remote access Trojans, and nation-state-backed malware from 13 previous attacks. Hence, experts believe that the popularity of macOS, especially in enterprise settings, will result in a spike in macOS malware development this year.
The discovery of SpectralBlur highlights the importance of ongoing vigilance and fortified cybersecurity defences against sophisticated threats, especially those coming from state-sponsored actors like North Korea.
