North Korean hackers develop new macOS backdoor

Cybersecurity researchers have discovered a new macOS backdoor called SpectralBlur. Notably, this backdoor has similarities to the KandyKorn malware family used by North Korean hackers in recently identified cyberattacks.

The SpectralBlur malware was originally discovered and analyzed by senior threat researcher Greg Lesnewich of cybersecurity firm Proofpoint (US). Lesnewich said that SpectralBlur has the usual features of a malicious backdoor, including the ability to upload/download files, run shell commands, update configuration, and delete files. This malware performs tasks based on commands issued from the command-and-control (C2) server, and communications with the server are encrypted using Rivest Cipher 4 (RC4).

SpectralBlur on VirusTotal (Scan Date: Aug. 2023)

One of the most unique aspects of SpectralBlur was first noted by security researcher Phil Stokes from cybersecurity firm SentinelOne (US), which is the use of the Grantpt function to establish a pseudo-terminal.

In addition, researcher Patrick Wardle also discovered the use of pseudo terminals to execute remote shell commands in his analysis. Wardle believes this is part of SpectralBlur’s stealth tactics, which include encrypting its communication with the C2 server, deleting its file contents by overwriting them with zeros, and self-fragmenting into multiple versions.

Similarities to KandyKorn malware

According to Lesnewich, SpectralBlur appears to be related to KandyKorn (also known as SockRacket), an advanced malware that functions as a remote access Trojan (RAT) capable of controlling compromised hosts in a blockchain-focused attack campaign in November 2023.

It is worth noting that KandyKorn activities were also similar to another campaign carried out by the BlueNoroff hacking group (linked to the infamous Lazarus cyberespionage group of North Korea), which culminated in the deployment of a backdoor called RustBucket and an end-stage payload called ObjCShellz. In recent months, researchers have observed attackers combining different parts of these two infection chains, leveraging RustBucket dropper tools to distribute KandyKorn.

These latest findings are another sign that North Korean threat actors are targeting macOS devices to gain access to high-value targets, particularly those in the cryptocurrency and blockchain industries.

Lesnewich emphasized that the BlueNoroff hacking group continues to evolve its cyberattack operations and improve with these new macOS malware families. According to researcher Wardle, who shared additional details about SpectralBlur’s inner workings, the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.

The functional similarities between Kandykorn and SpectralBlur raise the question that they could have been built by different developers but with the same requirements.

This disclosure comes as a total of 21 new malware families targeting macOS systems, including ransomware, information stealers, remote access trojans, and some state-sponsored malware, were detected in 2023. Wardle noted that with the continued growth and popularity of macOS (especially in the enterprise), 2024 is expected to see the development of even more new malicious variants on this operating system.