New Trojan from BlueNoroff Threatens MacOS Crypto Users

Following years of successful heists targeting Windows users, the hackers linked to Lazarus Group have expanded their operations to infiltrate machines running macOS.

Apple computer surrounded by worms
BlueNoroff is particularly known for its advanced social engineering tactics, enabling hackers to deploy malware and siphon cryptocurrency.

Cybersecurity firm Kaspersky has reported the discovery of a novel type of malicious loader—a malware designed to load and execute other malicious code on the infiltrated system, in this instance, a Trojan. Notably, this new loader is specifically targeting macOS users.

One alarming aspect of the Trojan loader is its alleged connection to the BlueNoroff APT gang, posing a significant threat to users in Russia, Poland, Norway, India, Mexico, Australia, Peru, and many other countries. These hackers are known for their association with the notorious North Korean hacking group Lazarus, recognized for the high-profile attack on Bangladesh’s Central Bank in 2016.

Read also: Lazarus Group Strikes with Telegram Phishing Attacks

In 2022, Kaspersky characterized BlueNoroff as "a mysterious group with links to Lazarus and an unusual financial motivation for an APT," noting that the hackers "seem to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure."

BlueNoroff description
Source: Kaspersky, Securelist

Although BlueNoroff was initially discovered in 2017, its first known sample dates back to 2016, and it was primarily recognized for targeting the Windows platform.

Following a series of successful attacks on banks, BlueNoroff initiated a campaign known as SnatchCrypto, which now focuses on individuals and companies engaged in activities related to cryptocurrencies, DeFi, FinTech, smart contracts, and blockchains. Notably, even those with an interest in these topics but no practical experience with the mentioned technologies can still become victims of this hacker group.

Cybersecurity experts have not yet determined the method of distributing the loader, inserted into a ZIP archive, to potential victims. However, speculation suggests that cybercriminals may have utilized email, as in past campaigns. The ZIP archive, infecting machines with the Trojan, contains a PDF file named "Crypto-assets and their risks for financial stability."

"Written in Swift and named 'EdoneViewer,' the executable is a universal format file that includes versions for both Intel and Apple Silicon chips," Kaspersky explains. The main function, "CalculateExtameGCD," manages the decryption of the payload, using unrelated messages to obfuscate the process and reduce analyst vigilance.

The reassuring news is that most anti-malware solutions are now capable of detecting this Trojan.

In a previous report on the hackers, Kaspersky underscored that "if there is one thing BlueNoroff has excelled at, it is the abuse of trust." The report emphasized, "Throughout its SnatchCrypto campaign, BlueNoroff exploited trust in business communications, including internal chats between colleagues and interactions with external entities."

According to Kaspersky's 2021 investigation, members of the BlueNoroff gang actively probed and monitored successful cryptocurrency startups. Their objective was to "build a map of interactions between individuals and understand possible topics of interest."

This approach enables them to execute sophisticated social engineering attacks disguised as normal interactions. For instance, they use convincing lures like fake Google Drive notifications or forwarded emails to trick victims into opening malicious documents. Kaspersky adds, "BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time."

Read also: KyberSwap’s Hacker Interviewed: "Might Makes Right"

BlueNoroff commonly utilized zipped Windows shortcut files and weaponized Word documents as vectors for initiating malware infections. In previous instances, the hackers also employed PowerShell scripts, Visual Basic Scripts, and custom backdoors with diverse functionalities, including directory and file manipulation, configuration updates, registry manipulation, process manipulation, command execution, and data theft from various software, such as Chrome, WinSCP, and Putty.

In some cases, BlueNoroff exhibited significant patience, waiting for months before executing a seamless theft of cryptocurrency. The compromised systems provided the hackers with the opportunity to gather essential credentials and manipulate browser extensions like Metamask, enabling them to intercept transactions and drain cryptocurrency accounts.

Meanwhile, Kaspersky has issued a warning to macOS users regarding the recent detection of cracked applications distributed by unauthorized websites. These applications come loaded with a Trojan-Proxy.

Individuals opting for free versions of paid software run the risk of downloading .PKG installers containing post-installer scripts. Once the application installation is complete, these scripts are executed, leading to the replacement of specific system files and subsequently granting hackers permissions on the compromised device.