Jamf uncovers new Mac malware linked to known hacking group

Jamf finds a new strain of malware

The discovery came about during Jamf’s regular security checks. They found software for Mac computers secretly connecting to a known malicious internet domain, although Jamf didn’t mention a particular program that Mac users should be aware of.

What made the find particularly intriguing was that this software was not recognized as a threat by VirusTotal, a popular website used to check suspicious files, at the time of uploading by Jamf.

The program is cleverly disguised, using a digital signature that initially appears legitimate. It communicates with a server that, while appearing to be associated with a legitimate cryptocurrency platform, is controlled by the attackers.

The method of operation aligns with the BlueNoroff group’s established strategies. These typically involve creating counterfeit domains that mirror reputable companies, which helps them evade detection and entice their targets.

The fraudulent domain was set up in late May 2023, and the malware uses it to send and receive information. Jamf’s analysis revealed that while they were investigating, the server behind the domain stopped responding, possibly because the attackers became aware of the scrutiny.

Further analysis by Jamf indicated that the malware was designed using Objective-C, a programming language used for Mac software. The malware acts like a remote control for the infected computer, allowing the attackers to send commands and control the system after they have breached it.

Upon activation, the malware sends a signal to the attacker-controlled domain, disguising its communications as regular internet traffic. It also collects and sends information about the infected computer, such as the version of the macOS operating system it is running.

Despite its simplicity, the malware is effective and aligns with BlueNoroff’s approach of…