SpectralBlur, a new macOS backdoor first characterized by researchers this week, appears connected to North Korean malware that targeted blockchain engineers last year.
The malware, while dubbed the “first malware of 2024” by security researcher Patrick Wardle of Objective-See, was first uploaded to VirusTotal in August 2023.
The macOS malware was initially discovered and analyzed by Greg Lesnewich, a senior threat researcher at Proofpoint, who shared his findings on his personal blog on Jan. 3. Wardle later conducted a deeper analysis of the SpectralBlur sample, published by Objective-See on Jan. 4.
New macOS malware uses unique method to run commands from remote server
SpectralBlur sports many of the usual features of a malware backdoor, including the ability to upload, download and delete files, run shells and update its configuration, according to Lesnewich. It performs these tasks by running commands from a remote command-and-control (C2) server, and its communications with the server are encrypted with Rivest Cipher 4 (RC4).
One of the most unique aspects of SpectralBlur was noted by SentinelOne threat researcher Phil Stokes, who wrote on X, “[SpectralBlur] Uses grantpt to set up a pseudo-terminal. Not seen that before.”
Wardle also uncovered the use of pseudo-terminals to remotely execute shell commands in his analysis. He suspects this is part of SpectralBlur’s stealth tactics, which also include encrypting its communication with the C2 server, deleting its own file contents by overwriting them with zeros, and forking itself into multiple instances.
SpectralBlur similar to Lazarus Group’s KANDYKORN
Blockchain engineers were targeted by North Korean hackers last November in a campaign to spread the KANDYKORN remote access trojan. Elastic Security Labs discovered the campaign, attributing it to state-sponsored actors linked to the Lazarus Group.
Lesnewich used VirusTotal’s retrohunting service to look for similar strings in other malware samples and identified overlaps between SpectralBlur and KANDYKORN, saying that the two “feel like families developed by different folks with the same sort of requirements.”
For example, KANDYKORN also wraps its communications in RC4 encryption and has many of the same backdoor capabilities of file management and self-configuration. However, SpectralBlur includes many of its own unique strings, as well as the unusual pseudo-terminal method.
Wardle notes that SpectralBlur, originally uploaded by a user in Colombia, is not yet flagged as malicious by any of the antivirus engines aggregated by VirusTotal.
It is yet to be seen if the “first malware of 2024” is being used by North Korean nation-state actors in a similar fashion to KANDYKORN, which has also been spotted in mixed-technique campaigns targeting macOS.