Security researchers have delved into the intricacies of SpectralBlur, an emerging macOS backdoor believed to be associated with the recently discovered North Korean malware family known as KandyKorn.
New ‘SpectralBlur’ macOS Backdoor
The identified sample of SpectralBlur was first submitted to VirusTotal in August 2023; however, it went unnoticed by antivirus engines and escaped researchers’ attention until this week.
Threat researcher Greg Lesnewich was the first to analyze the malware, determining that it encompasses functionalities commonly associated with a backdoor. These include file upload/download, file deletion, shell execution, configuration updates, and sleep/hibernate capabilities.
Lesnewich highlights that the described actions are executed in response to commands from the command-and-control (C&C) server. He further clarifies that communication with the server is facilitated through sockets encrypted with RC4.
In Lesnewich’s examination of the backdoor, he uncovered resemblances to KandyKorn, a macOS backdoor previously utilized by the North Korean hacking group Lazarus in recent cyber attacks. These attacks specifically targeted blockchain engineers associated with a cryptocurrency exchange platform.
KandyKorn is a sophisticated implant crafted to elude detection, enabling attackers to monitor and interact with compromised machines seamlessly.
Lesnewich highlights that SpectralBlur and KandyKorn seem to be distinct malware families developed by different entities, yet they share common features due to being built on similar requirements.
Following Lesnewich’s publication of his findings, security researcher Patrick Wardle from Objective-See also scrutinized SpectralBlur. His analysis led to comparable conclusions: the backdoor incorporates standard capabilities associated with backdoors, encompassing network communication, file and process manipulation, and self-configuration.
During the initialization phase, the malware triggers a function dedicated to decrypting/encrypting its configuration and network traffic. Subsequently, it carries out a series of actions designed to impede analysis and detection.
Wardle reveals that SpectralBlur employs a pseudo-terminal to execute shell commands delivered from the C&C. Additionally, it has been crafted to delete files by opening them and overwriting their content with zeros.
Both Lesnewich and Wardle express a strong belief that SpectralBlur constitutes another addition to Lazarus’ arsenal of macOS backdoors. Lazarus, a well-known North Korean hacking group operating since at least 2009 and suspected to have ties to the North Korean government, is considered the likely orchestrator of this malware.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment