Rewterz Threat Advisory – CVE-2023-47145 – IBM Db2 Vulnerability
January 8, 2024Rewterz Threat Advisory – CVE-2023-50948 – IBM Storage Fusion HCI Vulnerability
January 8, 2024Rewterz Threat Advisory – CVE-2023-47145 – IBM Db2 Vulnerability
January 8, 2024Rewterz Threat Advisory – CVE-2023-50948 – IBM Storage Fusion HCI Vulnerability
January 8, 2024Severity
High
Analysis Summary
Cybersecurity researchers have discovered a new backdoor named SpectralBlur targeting Apple macOS. The backdoor is being linked to North Korea’s Lazarus sub-group known as BlueNoroff (aka TA444) due to its similarities to the malware family KANDYKORN (aka SockRacket).
KANDYKORN is an advanced malware implant that comes with a variety of functions that help to monitor, interact, and evade detection. It uses a direct-memory form of execution called reflective loading capable of bypassing detections. However, researchers noted that SpectralBlur is not a sophisticated malware. It supports normal backdoor capabilities such as running a shell, uploading/downloading files, deleting files, updating its configuration, and sleeping or hibernating based on the commands received from the C2.
BlueNoroff keeps adding new macOS malware families to its arsenal. SpectralBlur and KANDYKORN share similar strings, and soon a phishing campaign was discovered with more samples to link the two malware further. The latest discovery has confirmed that North Korean-linked threat actors are showing great interest in developing macOS malware to use in targeted attacks.
In November 2023, security analysts found a new macOS malware strain called ObjCShellz and linked it to the BlueNoroff APT group. Notably, the ObjCShellz malware is similar to the RustBucket malware campaign, also associated with BlueNoroff. RustBucket macOS malware was first used by the APT group in April 2023. Later, researchers discovered a new variant of the RustBucket malware in July 2023.
Impact
- File Manipulation
- Exposure to Sensitive Data
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
- Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
- Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
- Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.