Related Families: KandyKorn
Executive Summary
SpectralBlur is a fairly unsophisticated backdoor targeting MacOS devices. It has been attributed to Stardust Chollima.
Key Takeaways
- SpectralBlur is a fairly unsophisticated backdoor targeting MacOS devices.
- SpectralBlur has been attributed to the North Korean nexus threat actor group Stardust Chollima.
- SpectralBlur appears to overlap with KandyKorn, another MacOS malware family attributed to Stardust Chollima.
- StardustChollima was observed using multiple malware families to target MacOS systems in 2023.
What is SpectralBlur?
Security researcher Greg Lesnewich recently reported on SpectralBlur, a Mac malware family attributed to North Korea nexus threat actor group Stardust Chollima. Security researcher Patrick Wardle expanded on this research by further analyzing the SpectralBlur sample.
SpectralBlur is a fairly unsophisticated backdoor capable of uploading and downloading files, running shell, updating its configuration, deleting files, and hibernating or sleeping based on commands received from the C2. Lesnewich notes he originally found SpectralBlur in August 2023 and that SpectralBlur appears to overlap with KandyKorn, another malware family attributed to Stardust Chollima.
While SpectralBlur is not a sophisticated backdoor, it does continue the trend of Stardust Chollima targeting MacOS systems. Last year, Stardust Chollima was observed using RustBucket, a multistage malware, to target MacOS devices. Industry researchers later discovered ObjCShellz, a remote shell, which appeared to be part of the RustBucket campaign. The group was also observed using KandyKorn, another multistage MacOS malware, to target blockchain engineers.
Who is Stardust Chollima?
Stardust Chollima, also known as BlueNoroff, TA444, APT38, BlackAlicanto, Coperenicum, and Sapphire Sleet, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. They are thought to be affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau. The group is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints. Stardust Chollima has been observed using malware to target MacOS systems, including RustBucket, KandyKorn, ObjCShellz, and SpectralBlur.
IOCs
PolySwarm has a sample of SpectralBlur.
6f3e849ee0fe7a6453bd0408f0537fa894b17fc55bc9d1729ae035596f5c9220
You can use the following CLI command to search for all SpectralBlur samples in our portal:
$ polyswarm link list -f SpectralBlur
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.