SpectralBlur, a new macOS backdoor first characterized by researchers this week, appears linked to North Korean malware that targeted blockchain engineers last year.
The malware, although dubbed the “first malware of 2024” by security researcher Patrick Wardle of Objective-See, was first uploaded to VirusTotal in August 2023.
The macOS malware was initially discovered and analyzed by Greg Lesnewich, senior threat researcher at Proofpoint, who shared his findings on his personal blog on January 3. Wardle then conducted a more in-depth analysis of the SpectralBlur sample, published by Objective-See in January. .4.
New macOS malware uses unique method to execute commands from remote server
SpectralBlur has many of the usual features of a malware backdoor, including the ability to download and delete files, run shells and update its configuration, according to Lesnewich. It performs these tasks by executing commands from a remote command and control (C2) server, and its communications with the server are encrypted with Rivest Cipher 4 (RC4).
One of the more unique aspects of SpectralBlur was noted by SentinelOne threat researcher Phil Stokes, who wrote on X: “[SpectralBlur] Use Grantpt to configure a pseudo terminal. I’ve never seen this before.
Wardle also discovered the use of pseudo-terminals to remotely execute shell commands in his analysis. He suspects this is part of SpectralBlur’s stealth tactics, which also include encrypting its communications with the C2 server, deleting the contents of its own files by overwriting them with zeros, and splitting itself into multiple instances.
SpectralBlur similar to KANDYKORN from the group Lazarus
Blockchain engineers were targeted by North Korean hackers last November as part of a campaign to spread the KANDYKORN remote access Trojan. Elastic Security Labs discovered the campaign and attributed it to state-sponsored actors linked to the Lazarus Group.
Lesnewich used VirusTotal’s retro search service to search for similar strings in other malware samples and identified overlaps between SpectralBlur and KANDYKORN, saying the two “feel like families developed by different people with the same type of requirements.
For example, KANDYKORN also wraps its communications in RC4 encryption and has many of the same file management and self-configuration backdoor capabilities. However, SpectralBlur includes several of its own unique strings, as well as the unusual pseudo-terminal method.
Wardle notes that SpectralBlur, originally downloaded by a user in Colombia, is not yet flagged as malicious by any of the antivirus engines aggregated by VirusTotal.
It remains to be seen whether the “first malware of 2024” is used by North Korean state actors in the same way as KANDYKORN, which has also been spotted in mixed media campaigns targeting macOS.
