North Korea’s Hackers Serve Up a New Dish: The Cryptocurrency-Targeting ObjCShellz Malware

North Korean macOS malware, ObjCShellz, is the new hotshot on the hacking block. With this sly beast, North Korean hackers are feasting on the financial sector, particularly crypto holders. It’s a part of the RustBucket campaign, a ‘Russian Doll of deception’ that’s been as successful as it is sneaky.

Hot Take:

North Korea’s state-sponsored hackers are back at it again with a brand new macOS malware delightfully named “ObjCShellz”. Part of their multi-course meal RustBucket campaign, these guys are targeting the financial services sector like it’s a buffet. And guess what? They have a sweet tooth for crypto. The extent of their success is still in the shadows, but let’s not forget, they’ve been pretty good at winning these ‘Olympics of mischief’ in the past.

Key Points:

  • North Korean state-sponsored hackers have launched a new macOS malware strain called “ObjCShellz”.
  • The malware is part of a multi-stage campaign called RustBucket, targeting the financial services sector.
  • The group behind this malware, known as BlueNoroff or APT38, is notorious for its past successes.
  • The malware, written in Objective-C, offers remote shell capabilities to attackers.
  • The targeted users are specific individuals suspected of holding access to cryptocurrency.

Need to know more?

Knocking on Mac's Door

This isn't your typical, spray-and-pray malware campaign. ObjCShellz is going after users who are suspected of holding access to cryptocurrency. So, if you're a crypto enthusiast running a Mac, you might want to keep your eyes peeled. After all, fortune favors the prepared.

Master of Disguise

The RustBucket campaign is as sneaky as a chameleon on a rainbow. It starts with an AppleScript disguised as a PDF viewer, requiring the user to bypass an Apple Gatekeeper check. Once the user takes the bait, the second stage, another app disguised as a PDF viewer, kicks in. It's like a Russian Doll of deception.

The Key to Evil

The second stage of the malware, like a lock and key, only reveals its true face when a malicious PDF is opened. Once the app reads the malicious PDF, it fetches a data blob which triggers the establishment of the attackers' C2 infrastructure. It's like a treasure hunt, except the prize is probably your personal data.

A Well-Oiled Machine

The whole operation is a well-oiled machine, seamlessly transitioning from one stage to another. After the second stage, the stage three payloads are downloaded and executed. By this point, it's pretty clear that these guys don't believe in 'less is more'.

It's Not Over Yet

ObjCShellz is thought to be a later-stage payload in this attack chain. But the full extent of the attack is still unknown. Like a well-written thriller, we're left on the edge of our seats, waiting to see what comes next. Let's just hope it isn't a sequel.
Tags: BlueNoroff, cryptocurrency security, financial services sector, macOS malware, North Korean Hackers, RustBucket campaign,