Security researchers, led by Greg Lesnewich, have uncovered a new macOS backdoor named SpectralBlur, displaying resemblances to the North Korean APT group’s malware family, KANDYKORN (aka SockRacket), specifically associated with BlueNoroff (aka TA444) from the Lazarus sub-group.
The advanced KandyKorn implant boasts capabilities for monitoring, interacting, and avoiding detection, utilizing reflective loading—a direct-memory execution form that may bypass detections, as outlined by Elastic Security. On the other hand, SpectralBlur, while not as sophisticated, supports typical backdoor functionalities. These include file uploading/downloading, shell execution, configuration updates, file deletion, and hibernation or sleep mode, all triggered by commands from the C2.
“TA444 keeps running fast and furious with these new MacOS malware families. Looking for similar strings lead us to link SpectralBlur and KandyKorn (which were further linked to TA444 after more samples turned up, and eventually, a phishing campaign hit our visibility that pulled down KandyKorn,” notes Lesnewich. “So knowing your Macho stuff will help track emerging DPRK capability if that is your interest!”
This discovery reinforces the ongoing interest of North Korean threat actors, especially BlueNoroff, in developing macOS-targeting malware for specific and targeted cyber campaigns. Earlier instances include the November 2023 discovery of ObjCShellz, another macOS malware attributed to BlueNoroff, and the April 2023 revelation of RustBucket, a macOS malware variant associated with the same APT group.
In the cybersecurity landscape, this continuous evolution and development of macOS-specific threats highlight the need for vigilance and adaptive defense strategies against emerging North Korean cyber capabilities.
