A new malicious loader targeting macOS devices has been discovered, presumably linked to the BlueNoroff APT gang and their RustBucket campaign. This group is known for attacking financial organizations and individuals involved with cryptocurrency. The new loader variant was first reported in a post on X (formerly Twitter).
Loader Characteristics: The loader was hidden inside a ZIP archive containing a PDF file named “Crypto-assets and their risks for financial stability”. This PDF serves as a decoy, while the actual malicious app, written in Swift and named “EdoneViewer”, is designed to target both Intel and Apple Silicon chips. It utilizes XOR encryption for its payload, which is decrypted by the main function, CalculateExtameGCD, during execution.
Deceptive Tactics: The app displayed unrelated messages during the decryption process to mislead analysts. It downloads the decoy PDF file and then sends a POST request to a server, saving the response in a hidden file. This file is then executed with the Command & Control (C&C) server address as an argument.
C&C Server and Data Collection: The C&C server was hosted at hxxp://on-global[.]xyz, a domain registered on October 20, 2023. The malware collects and transmits system information, such as computer name, OS version, time zone, device startup date, OS installation date, current time, and a list of running processes.
Execution of Commands: Upon receiving a command, the malware saves data to a shared file named “.pld”, grants it read/write/run permissions, and executes it. This action indicates the malware's capability to receive and execute remote commands, potentially leading to further malicious activities.
This discovery highlights the evolving nature of cyber threats, particularly those targeting macOS systems, and underscores the need for vigilant cybersecurity measures, especially for organizations and individuals involved in the financial and cryptocurrency sectors.
IoC
DOMAIN
- on-global.xyz
URL
- http://on-global.xyz/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A==
- http://on-global.xyz
SHA256
- c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8
- c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe
- c556baaac706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76e
- 47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1
- 36001b8b9e05935756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4
SHA1
- da96876f9535e3946aff3875c5e5c05e48ecb49c
REFERENCES
- https://securelist.com/bluenoroff-new-macos-malware/111290/
- https://otx.alienvault.com/pulse/656f2fb83b7c921884ae28ad
TAGS
bluenoroff, trojan, cndeveloper id, cnapple root, ca validity, rustbucket, twitter, pdf file
No comments:
Post a Comment