We do suspect more than just this one PDF exists. While many different PDF payloads exist that work on Windows, so far only one PDF has been discovered that will result in a call to the attacker on macOS. The earliest submission of the “Internal PDF Viewer” we could find on VirusTotal was uploaded in January 2023 and we’ve observed the attackers continuing to host it. The Windows malware also used the “decoy document” approach which clearly worked well for the attacker. This aligns with the social engineering schemes discovered in the PDF document. In the previously mentioned Kaspersky blog, it was reported that the attackers had created numerous fake domains impersonating venture capital firms and banks in a campaign Kaspersky titled ‘SnatchCrypto’. This domain was reported as being used by the attackers in a writeup done by Proofpoint. First and foremost is the domain used in the stage-one dropper: clouddnxcapital. There are a few signs that this malware is tied to BlueNoroff. It should be noted that we have no reason to believe this application is allowed to execute without the user manually overriding Gatekeeper. Among our results, we identified a suspicious AppleScript file titled main.scpt contained within an unsigned application named Internal PDF Viewer.app. The stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered while performing normal hunting routines for compiled AppleScript applications that contained various suspicious commands. These similarities include malicious tooling on macOS that closely aligns with the workflow and social engineering patterns of those employed in the campaign. This attribution is due to the similarities noted in a Kaspersky blog entry documenting an attack on the Windows side. The APT group called BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind this attack. We track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |