On November 7, 2023, Jamf Threat Labs revealed details of a previously undocumented macOS malware strain, ObjCShellz, which is linked to the North Korean nation-state group BlueNoroff. It is believed to be used as part of the RustBucket malware campaign, which was first noticed earlier this year.
According to security researcher Ferdous Saljooki, BlueNoroff, which is also known as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group. This group specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime.
ObjCShellz is written in Objective-C, functioning as a “very simple remote shell that executes shell commands sent from the attacker server”. It is not yet known how the malware is initially delivered, although it is believed to be a post-exploitation payload run on the hacked machine.
Days before the ObjCShellz discovery, Elastic Security Labs reported the Lazarus Group’s use of KANDYKORN, a new macOS malware, to target blockchain engineers. The group is also linked to RustBucket, an AppleScript-based backdoor that retrieves a second-stage payload from an attacker-controlled server. The infection chain is usually initiated by social engineering, with victims being lured with the promise of job offers or investment advice.
North Korea-sponsored groups like Lazarus are evolving and reorganizing, sharing tools and tactics, and developing bespoke malware for Linux and macOS. Phil Stokes, a security researcher at SentinelOne, noted that “it is believed the actors behind [the 3CX and JumpCloud] campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable”.