Recent activity undertaken by the threat actor has offered fresh evidence of the threat actor's growing interest in exploiting trust relationships in the software supply chain as entry points to corporate networks. Lazarus Group (aka Hidden Cobra and Diamond Sleet) is less a distinct outfit and more of an umbrella term for a mixture of state-sponsored and criminal hacking groups that sit within the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence apparatus. The findings also come off a busy period of attacks orchestrated by the Lazarus Group aimed at organizations across countries and industry verticals for collecting strategic intelligence and performing cryptocurrency theft. It's not currently not clear how initial access is obtained and if the attacks were successful, but the development is a sign that threat actors are adapting their toolsets to accommodate cross-platform malware by using programming languages like Go and Rust. "At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application." "This PDF viewer technique used by the attacker is a clever one," the researchers explained. One such nine-page PDF document identified by Jamf purports to offer "investment strategy" advice, that when launched, reaches out to the command-and-control (C2) server to download and execute a third-stage trojan, a Mach-O executable written in Rust that comes with capabilities to run system reconnaissance commands. The second-stage payload, written in Objective-C, is a basic application that offers the ability to view PDF files and only initiates the next phase of the attack chain when a booby-trapped PDF file is opened through the app. Both the malicious apps are signed with an ad-hoc signature. In reality, it's an AppleScript file that's engineered to retrieve a second-stage payload from a remote server, which also carries the same name as its predecessor. The macOS malware identified by Jamf masquerades as an "Internal PDF Viewer" application to activate the infection, although it bears noting that the success of the attack banks on the victim manually overriding Gatekeeper protections. Federal Bureau of Investigation (FBI) implicated the threat actor for the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022.īlueNoroff's attack repertoire is also said to have witnessed a major shift over the past few months, what with the group making use of job-themed lures to trick email recipients into entering their credentials on fake landing pages. The connections stem from tactical and infrastructure overlaps with a prior campaign exposed by Russian cybersecurity company Kaspersky in late December 2022 likely aimed at Japanese financial entities using fake domains impersonating venture capital firms.īlueNoroff, unlike other constituent entities of the Lazarus Group, is known for its sophisticated cyber-enabled heists targeting the SWIFT system as well as cryptocurrency exchanges as part of an intrusion set tracked as CryptoCore.Įarlier this year, the U.S. The Apple device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus cluster that's also tracked under the monikers APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444. " communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week. A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |