In recent years, the cybersecurity community has observed a surge in state-sponsored attacks focusing on the financial sector, particularly targeting cryptocurrency enterprises. The BlueNoroff APT group, a subdivision of North Korea's Lazarus Group, has been at the forefront of these activities. Demonstrating advanced capabilities, BlueNoroff has developed sophisticated macOS malware that exploits fake cryptocurrency news to deceive targets and employs novel persistence mechanisms to maintain long-term access.
This technical report provides an exhaustive analysis of BlueNoroff's recent campaigns up to October 2023. It delves into their tactics, techniques, and procedures (TTPs), offering insights into the malware's architecture and providing recommendations for mitigation.
Campaign Overview
Background
Active since at least 2016, BlueNoroff has primarily targeted financial institutions and cryptocurrency exchanges. Their operations are financially motivated, aiming to circumvent international sanctions by stealing funds to support North Korea's economic objectives.
Recent Activities
BlueNoroff has intensified its efforts against macOS platforms, acknowledging the increasing use of Apple devices in corporate settings. Notable campaigns include:
- RustBucket Campaign (April 2023): Deployed multi-stage malware written in Rust, targeting macOS users and establishing backdoors for executing arbitrary code.
- KandyKorn Malware (May 2023): Focused on blockchain engineers, delivering malware designed for persistent system access.
Infection Vector
Phishing Emails Leveraging Fake Cryptocurrency News
The primary infection method involves phishing emails containing links to malicious applications disguised as legitimate PDF documents discussing cryptocurrency trends.
- Email Characteristics:
- Sender Impersonation: Often uses names of reputable individuals in the crypto industry or unrelated fields to appear credible.
- Subject Matter: Topics like "Hidden Risks Behind New Surge of Bitcoin Price" or "Altcoin Season 2.0: The Hidden Gems to Watch."
- Attachments: Instead of PDFs, the attachments are macOS application bundles posing as documents.
Execution Flow
- Email Delivery: The target receives a phishing email with a link to a supposed PDF document.
- Malicious Application Download: Clicking the link downloads a macOS application bundle with a misleading name and icon.
- Decoy Document Display: Upon execution, the application opens a legitimate-looking PDF to avoid suspicion.
- Background Malware Installation: Concurrently, the application downloads and executes the next-stage payload.
Technical Analysis
Stage 1: The Dropper Application
- Implementation: Written in Swift, designed to appear as a legitimate document viewer.
- Code Signing: Often signed with valid Apple Developer IDs to bypass Gatekeeper protections. These IDs may be acquired through fraudulent means.
- Execution Details:
- Decoy Presentation: Downloads a benign PDF from a remote server and opens it using the default PDF viewer.
- Payload Retrieval: Fetches the second-stage malware from a hard-coded URL using insecure HTTP connections, bypassing default macOS security settings via `Info.plist` modifications.
- Bypassing Security Measures:
- App Transport Security Exception: Alters `Info.plist` to allow insecure connections to specific domains.
- Universal Binary: Compiled for both Intel and Apple Silicon architectures to maximize compatibility.
Stage 2: The Backdoor Payload
- File Details:
- Name: `growth`
- Architecture: x86_64, requiring Rosetta 2 on Apple Silicon Macs.
- Language: Written in C++, focusing on functionality over stealth.
- Functionalities:
- Persistence Installation: Installs a novel persistence mechanism via the `~/.zshenv` file.
- System Reconnaissance: Collects system information such as OS version, hardware model, and process lists.
- Unique Identifier Generation: Creates a random UUID to identify the infected machine.
- C2 Communication:
- Protocol: Communicates with the command and control server using HTTP POST requests.
- Data Transmission: Sends collected data and awaits commands.
- Command Execution: Processes C2 responses to execute arbitrary commands or download additional payloads.
- Code Characteristics:
- Minimal Obfuscation: Relies on deceptive practices rather than heavy code obfuscation.
- Encapsulated in specific functions for installing and verifying persistence mechanisms.
Novel Persistence Mechanism: Abusing `~/.zshenv`
- Mechanism Details:
- File Modification: The malware appends execution commands to the `~/.zshenv` file.
- Execution Scope: Since `~/.zshenv` is sourced in all Zsh sessions—including non-interactive ones—the malware gains execution whenever a shell is invoked, which can occur during various system processes.
- Advantages Over Traditional Methods:
- Stealth: This method does not trigger user notifications introduced in macOS Ventura for Login Items, making it less noticeable.
- Reliability: Ensures consistent execution without relying on Launch Agents or Daemons, which are more likely to be monitored or removed.
- Persistence Installation Function:
- Verification: Checks for a marker file (e.g., `.zsh_init_success`) to prevent redundant installations.
- Implementation: Uses shell commands within the malware code to modify the `~/.zshenv` file.
Network Infrastructure Analysis
Command and Control Servers
- Domain Mimicry: Domains are crafted to resemble legitimate cryptocurrency or financial services (e.g., `delphidigital[.]org`, `arkinvest[.]com`).
- Hosting Providers: Utilizes services known for lax enforcement to host malicious domains and servers.
- SSL Certificates: May reuse self-signed certificates across multiple domains, aiding in attribution.
Communication Protocols
- HTTP POST Requests: Malware communicates using standard HTTP protocols to blend in with normal traffic.
- Custom User-Agent Strings: Employs unique or spoofed User-Agent strings to avoid detection by security tools.
Infrastructure Linkage
- WHOIS Data and Registrar Patterns: Consistent use of certain domain registrars and overlapping registration details.
- Shared Resources: Reuse of IP addresses and hosting services across different campaigns.
Attribution to BlueNoroff
Attribution is based on multiple factors:
- Tactics, Techniques, and Procedures (TTPs):
- Malware Similarities: Overlaps with previous BlueNoroff malware, including code structure and functionality.
- Persistence Methods: Novel use of `~/.zshenv` aligns with the group's history of exploiting macOS features.
- Infrastructure Connections:
- Domain Themes: Consistent focus on cryptocurrency and financial entities.
- Technical Overlaps: Shared IP addresses and SSL certificates with known BlueNoroff infrastructure.
- Historical Context:
- Financial Motive: Aligns with North Korea's strategy of using cyber operations for economic gain.
- Prior Campaigns: Continuation of methods observed in operations like AppleJeus and previous RustBucket incidents.
Mitigation Strategies
User Awareness and Training
- Phishing Education: Regular training to recognize and report suspicious emails, especially those related to financial topics.
- Policy Enforcement: Implement strict policies regarding the opening of email attachments and execution of downloaded files.
Technical Controls
- Endpoint Protection:
- Anti-Malware Solutions: Deploy advanced security software capable of detecting and blocking known threats and suspicious behaviors.
- Application Whitelisting: Restrict execution to approved applications, preventing unauthorized code from running.
- System Monitoring:
- File Integrity Monitoring: Watch for changes to critical files like `~/.zshenv` and system binaries.
- Process Monitoring: Alert on the execution of unexpected processes or scripts.
- Network Security:
- Firewall Rules: Block known malicious IP addresses and domains associated with BlueNoroff.
- Network Traffic Analysis: Inspect outbound traffic for anomalies, such as unusual HTTP POST requests.
Incident Response Preparedness
- Response Planning: Develop and regularly update incident response plans specific to malware infections.
- Backup and Recovery: Maintain regular backups of critical systems and data to enable restoration in case of compromise.
- Threat Intelligence Integration: Incorporate the latest threat intelligence feeds to stay updated on emerging threats.
Conclusion
The BlueNoroff APT group's ongoing targeting of macOS systems within the cryptocurrency sector highlights the evolving tactics of state-sponsored actors. Their innovative methods—such as abusing the `~/.zshenv` file for persistence and leveraging convincing phishing lures—underscore the need for heightened vigilance and robust security measures.
Organizations in the financial and cryptocurrency industries must adopt a comprehensive security posture, combining user education, advanced technical defenses, and proactive monitoring to mitigate the risks posed by such sophisticated threats.
Indicators of Compromise (IOCs)
File Hashes (SHA-1)
- Dropper Applications:
- `3f17c5a7d1e7fd138163d8039e614b8a967a56cb`
- `e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb`
- Backdoor Payload:
- `7e07765bf8ee2d0b2233039623016d6dfb610a6d`
Malicious Domains
- `delphidigital[.]org`
- `matuaner[.]com`
- `arkinvst[.]com`
- `solanalab[.]org`
- `zoom-client[.]com`
- Additional domains listed in the campaign's indicators.
IP Addresses
- `23.254.253[.]75`
- `45.61.135[.]105`
- `172.86.108[.]47`
- `216.107.136[.]10`
- Additional IPs associated with the C2 infrastructure.
References
- SentinelLabs Report on Hidden Risk Campaign: Link to Original Report
- ESET Research on RustBucket Malware: ESET Blog
- Apple Documentation on Zsh Startup Files: Apple Support
- MITRE ATT&CK Framework - Lazarus Group: MITRE ATT&CK
Disclaimer: This document is based on information available up to October 2023. Subsequent developments may not be reflected.