The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SpectralBlur MacOS Backdoor

Jan 19, 2024 2:03:16 PM / by The Hivemind

SPECTRALBLURRelated Families: KandyKorn

Executive Summary

SpectralBlur is a fairly unsophisticated backdoor targeting MacOS devices. It has been attributed to Stardust Chollima.

Key Takeaways

  • SpectralBlur is a fairly unsophisticated backdoor targeting MacOS devices. 
  • SpectralBlur has been attributed to the North Korean nexus threat actor group Stardust Chollima.
  • SpectralBlur appears to overlap with KandyKorn, another MacOS malware family attributed to Stardust Chollima.
  • StardustChollima was observed using multiple malware families to target MacOS systems in 2023. 

What is SpectralBlur?

Security researcher Greg Lesnewich recently reported on SpectralBlur, a Mac malware family attributed to North Korea nexus threat actor group Stardust Chollima. Security researcher Patrick Wardle expanded on this research by further analyzing the SpectralBlur sample.

SpectralBlur is a fairly unsophisticated backdoor capable of uploading and downloading files, running shell, updating its configuration, deleting files, and hibernating or sleeping based on commands received from the C2. Lesnewich notes he originally found SpectralBlur in August 2023 and that SpectralBlur appears to overlap with KandyKorn, another malware family attributed to Stardust Chollima.

While SpectralBlur is not a sophisticated backdoor, it does continue the trend of Stardust Chollima targeting MacOS systems. Last year, Stardust Chollima was observed using RustBucket, a multistage malware, to target MacOS devices. Industry researchers later discovered ObjCShellz, a remote shell, which appeared to be part of the RustBucket campaign. The group was also observed using KandyKorn, another multistage MacOS malware, to target blockchain engineers. 

Who is Stardust Chollima?

Stardust Chollima, also known as BlueNoroff, TA444, APT38, BlackAlicanto, Coperenicum,  and Sapphire Sleet, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. They are thought to be affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau. The group is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints. Stardust Chollima has been observed using malware to target MacOS systems, including RustBucket, KandyKorn, ObjCShellz, and SpectralBlur.

IOCs

PolySwarm has a sample of SpectralBlur.

 

6f3e849ee0fe7a6453bd0408f0537fa894b17fc55bc9d1729ae035596f5c9220

 

You can use the following CLI command to search for all SpectralBlur samples in our portal:

$ polyswarm link list -f SpectralBlur

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Backdoor, MacOS, Stardust Chollima, SpectralBlur, KandyKorn

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More