BlueNoroff North Koreans exploit a macOS backdoor vulnerability.

Reports from cybersecurity experts, have revealed a new macOS backdoor vulnerability, allowing device takeover by BlueNoroff a North Korea based threat group, without users awareness.

In a thread post via x-app, by Greg Lesnewich, it does indicates, that the backdoor is linked to TA444/BlueNoroff which is suspected to be a cousin of KandyKorn family. Lesnewich, also stated that the malware hasn’t been fully reversed, as at the time the post was made on January 03, 2024.

Quoting the senior threat researcher Lesnewich at Proofpoint;

"...talking 'SpectraBlur' a MacOS (and other OS) backdoor linked to TA444/BlueNoroff, that I suspect is a cousin of the kandyKom family our pals at Elastic found!."


A malware was uncovered that houses a malicious file ‘.macshare.’ Image-source: Fixitgearware

In a tip off to Lesnewich, by a personnel from Censys, it was noted, that after its internet scanned data was concluded, a suspicious domain was uncovered that houses a malicious file ‘.macshare.’ which is downloaded from an ‘auth’ subdomain.

Additional analysis of the discovery, indicates the SpectraBlur malware, to be a moderately backdoor which enables the threat actor execute commands via a C2-server, to upload/download files, execute shell commands, update its configuration, delete files, hibernate or sleep the victims device.

In a notable discovery, the analysis shows the use of ‘grantpt’ by the threat actor to install a pseudo terminal and execute shell commands. It is no doubt, that the BlueNoroff is a subgroup of the North Korean state-sponsored threat actors; “The Lazarus Group”, a major threat in the crypto industry.

More Discovery About The Lazarus group:

The Lazarus group seems not to be taking a break anytime soon. In a recent publication, the group is said to be responsible for exploiting an Estonian based crypto firm CoinsPaid, and now giving rise to a more concerning issue, which is developing a malware targeting macOS devices, being unveiled.

"Certainly, the North Korea threat groups are totally having a much love in targeting these big cooperation's, from big crypto firms, to big tech companies. A case of an Elite being a fancy of the common."-  Benedict founder of Fixitgearware Security."

Recent findings from research shows the exploitation of apple owned devices, by these threat actors; an indication that they are armed to the teeth, to continuously exploit macOS devices.

In a personal opinion, Lesnewich described the BlueNoroff threat actors as “fast and furious”.

Further close communication between ITpro, and the head of security testing at IT Governance James Pickard, reveals a series of security steps organisation are to adopt in securing themselves.

These steps include the deploying of defense in depth framework, patching endpoint protection, security awareness, training of employees, and the monitoring of organisation IT infrastructure, while operating with least privilege model.

Pickard, also emphasised, on the need to consider endpoint protection for device safety, and also consulting the list of recommendations proffered by apple.

Adding to that, for its growing concern on the need for more security procedures, Pickard stated that the tech giant listed a number of tools to be utilised such as Gatekeeper, Notarisation, XProtect to block, prevent, and mitigate traces of the malware in an infected machine.

Ancillary recommendation also involves apple device users to regularly patch their devices with released updates, and continuously monitor their device for traces of suspicious activities. Publications and analysis of the malware can be found Lesnewich blog

Users of macOS devices are advised to checkout a list of these recommendations and apply them accordingly, and as advised regularly, remember to always stay safe, and be vigilant 🛡️!



Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments