A new malware variant has been uncovered targeting Apple’s macOS devices, experts have warned.
A report from Greg Lesnewich, Senior Threat Researcher at Proofpoint, who described the malware in more detail in a technical writeup here, notes the malware is called SpectralBlur, and is a “moderately capable” piece of code. It can upload, download, or delete files, run shell commands, and sleep and hibernate, he further explained.
Apparently, it was designed and is being distributed by a subgroup of Lazarus, an infamous North Korean statesponsored threat actor.
Going after cryptocurrencies
Lesnewich made the connection via KANDYKORN (AKA SockRacket), a different piece of malware that was previously identified to belong to BlueNoroff. This group, also tracked by some researchers as TA444, is known to be a department of Lazarus. KANDYKORN is described as a remote access trojan used to take over a compromised endpoint.
The findings led the researcher to conclude that the North Koreans are ramping up their attacks against macOS devices, in order to compromise highvalue targets. They’re mostly interested in devices belonging to people in the cryptocurrency and blockchain industry.
“TA444 keeps running fast and furious with these new macOS malware families,” Lesnewich said.
Lazarus is known for targeting crypto businesses, mostly socalled “bridge” projects. Each cryptocurrency has its own blockchain, and in order for multiple blockchains to interact, developers started building “bridges”. These bridges, although usually audited by thirdparty security companies and independent code reviewers, often get released with serious flaws, which allow threat actors to siphon out eyewatering amounts of money.
Via TheHackerNews