SpectralBlur, a backdoor linked to North Korean state-backed threat actors, has claimed the title of the “first malware of 2024” and specifically targets Mac devices.
On January 4, Greg Lesnewich, senior threat researcher at Proofpoint, shared his findings on SpectralBlur on his blog. The new malware is linked to the KandyKorn campaign, TA444, and the Lazarus Group, all of which are attributed to North Korean hackers.
A dive into SpectralBlur
Lesnewhich’s research revealed that SpectralBlur is a backdoor targeting macOS systems. And, as a backdoor, once installed on a device, it can upload and download files, run a shell, execute commands on an OS, update configurations, delete files, and hibernate or sleep.
SpectralBlur executes these processes and runs commands remotely from a remote command-and-control (C2) server.
Patrick Wardle, a cybersecurity expert who dug deeper into SpectralBlur, suggests that it has several tactics designed for stealth. These include communication encryption with the C2 server, auto-deleting file contents (overwriting them with zeros), and forcing itself into multiple instances to complicate cyber forensic analysis.
SpectralBlur communications are encrypted with Rivest Cipher 4 (RC4), a popular stream cipher that is falling out of use due to vulnerabilities.
At the time of this writing, when scanned on VirusTotal, most antivirus engines do not detect SpectralBlur yet.
Is SpectralBlur the evolution of KandyKorn? Similarities and differences
Lesnewich noted that SpectralBlur shares similarities with the KandyKorn campaign. As Elastic Security Labs reported on October 31, KandyKorn malware also targeted Mac devices, used a combination of custom and open-source tools for access and exploitation, and was, like SpectralBlur, linked to North Korean bad actors attributed to DPRK. Research also found that the malware shared common ground with others developed by the Lazarus Group. What else do KandyKorn and SpectralBlur have in common? Both use RC4 encryption, are backdoor malware, and have file management and self-configuration functions.
However, unlike KandyKorn, which was discovered in the wild attempting to breach and exploit macOS blockchain engineers of crypt exchange platforms, it is still unclear what SpectralBlur was developed to do.
Obviously, a backdoor like SpectralBlur has defined capabilities, but whether it was developed to steal information, spy, spread malware, or steal financial assets remains unknown.
Speaking about the similarities and differences between SpectralBlur and KandyKorn, Lesnewich said, ”These (malware) feel like families developed by different folks with the same sort of requirements.”
The next difference between these malware is a very unusual one. SpectralBlur uses pseudo-terminals, something cybersecurity experts say is unexpected.
Using pseudo-terminals — a special interprocess communication channel that acts like a terminal — Spectral Blur creates confusion and better hides its activity. Through pseudo-terminal sessions, the malware can execute commands, interact with the breached OS and hosted programs, and deploy persistent attacks with enhanced evasion techniques. Pseudo-terminal activity is not monitored as closely as regular terminal sessions are.
Mac malware is a new trend, and North Korea is leading the way
Mac malware — once considered rare — is now becoming more prevalent. And North Korean-linked hackers, known by a host of aliases such as TA444, DPRK, Lazarus Group, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, and Stardust Chollima, are leading the way in this new wave of Mac malware attacks.
On January 4, Wardle reported that in 2023, a total of 21 new Mac-specific malware families were discovered. This represents an increase of more than 50% compared to 2022.
The type of Mac malware being developed is also diverse, including information stealers, spyware, backdoors, data exfiltration, phishing malware, and blockchain and crypto-jackers. In this trend, North Korea is undoubtedly the most active player. So far, state-supported hackers linked to the country have developed infamous malware such as SmoothOperator, RustBucket, KandyKorn, ObjCShellz, FullHouse.Doored, StratoFear, and TieDye.
The fact that SpectralBlur is being called the “first malware of 2024” clearly suggests that North Korean Mac attacks are on the rise. Analysis of SpectralBlur and its enhanced capabilities also show us that these groups are learning from hits and misses.
Unfortunately, what SpectralBlur is doing, what it will do in the wild, and who or what sector it will target is still unknown. SpectralBlur should be considered an early 2024 red flag and warning shot. More Mac-specific malware is undoubtedly on the way.