Jamf Threat Labs has discovered a new later-stage malware variant from BlueNoroff that shares characteristics with their RustBucket campaign. 

Jamf Threat Labs says BlueNoroff’s campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and banks. During the Labs’ routine threat hunting, they discovered a Mach-O universal binary communicating with a domain that Jamf has previously classified as malicious. This executable was undetected on VirusTotal at the time of their analysis.

The malware is written in Objective-C and operates as a very simple remote shell that executes shell commands sent from the attacker server. Although it is not entirely clear how initial access was achieved, this malware is likely being used as a later stage to manually run commands after compromising a system. 

This malware at a glance is very different from the previously mentioned RustBucket malware seen used in other attacks, but the attacker’s focus in both cases seems to be providing simple remote shell capability. Read Jamf Threat Labs’ complete report here

Article provided with permission from AppleWorld.Today