Tag Archive for: Named

Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

/in


Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

Pierluigi Paganini
January 06, 2024

Researchers discovered a macOS backdoor, called SpectralBlur, which shows similarities with a North Korean APT’s malware family.

Security researcher Greg Lesnewich discovered a backdoor, called SpectralBlur, that targets Apple macOS. The backdoor shows similarities with the malware family KANDYKORN (aka SockRacket), which was attributed to the North Korea-linked Lazarus sub-group known as BlueNoroff (aka TA444).

KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” notes Elastic Security, which identified and analyzed the threat.” reads the report published by Elastic.

SpectralBlur is not a sophisticated malware, it supports ordinary backdoor capabilities, including uploading/downloading files, running a shell, updating its configuration, deleting files, hibernating or sleeping, based on commands issued from the C2.

“TA444 keeps running fast and furious with these new MacOS malware families. Looking for similar strings lead us to link SpectralBlur and KandyKorn (which were further linked to TA444 after more samples turned up, and eventually, a phishing campaign hit our visibility that pulled down KandyKorn).” concludes Lesnewich. “So knowing your Macho stuff will help track emerging DPRK capability if that is your interest!”

The latest discovery confirms the great interest of North Korea-linked threat actors in developing macOS malware to employ in targeted attacks.

In November 2023, researchers from Jamf Threat Labs discovered a new macOS malware strain dubbed ObjCShellz and attributed it to North Korea-linked APT BlueNoroff.

The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff APT group.

In July 2023, researchers from the Elastic Security Labs spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using a…

Source…

A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine

/in


Finally, the Russia-based ransomware gang Clop went on a hacking spree that hit US government agencies and international companies including Shell and British Airways. Clop hackers carried out their cybercriminal campaign by exploiting a vulnerability in the file-transfer service MOVEit. The flaw has since been patched, but the full extent of the stolen data and list of targets remains unclear.

But that’s not all. Each week, we round up the biggest security and privacy stories we weren’t able to cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

As Russia has carried out its unprecedented cyberwar in Ukraine over nearly a decade, its GRU military intelligence hackers have taken center stage. The notorious GRU hacker groups Sandworm and APT28 have triggered blackouts, launched countless destructive cyberattacks, released the NotPetya malware, and even attempted to spoof results in Ukraine’s 2014 presidential election. Now, according to Microsoft, there’s a new addition to that hyper-aggressive agency’s cyberwar-focused bench.

Microsoft this week named a new group of GRU hackers that it’s calling Cadet Blizzard, and has been tracking since just before Russia’s full-scale invasion of Ukraine in February 2022. Redmond’s cybersecurity analysts now blame Cadet Blizzard for the destructive malware known as WhisperGate, which hit an array of government agencies, nonprofits, IT organizations, and emergency services in Ukraine in January 2022, just a month before Russia’s invasion began. Microsoft also attributes to Cadet Blizzard a series of web defacements and a hack-and-leak operation known as Free Civilian that dumped the data of several Ukrainian hacking victim organizations online while loosely impersonating hacktivists, another of the GRU’s trademarks.

Microsoft assesses that Cadet Blizzard appears to have the help of at least one private sector Russian firm in its hacking campaign but that it’s neither as prolific nor as sophisticated as previously known GRU groups plaguing Ukraine. But as Russia has switched up the tempo of its cyberwar, focusing on quantity rather than quality of attacks, Cadet Blizzard may play a key…

Source…

Wilsbach named as next Air Combat Command chief

/in


The Biden administration has tapped Air Force Gen. Kenneth Wilsbach, the service’s top officer in the Pacific, to run Air Combat Command, the Pentagon announced Thursday.

If confirmed by the Senate, Wilsbach would come in at a time of transition for ACC, the Air Force’s largest umbrella organization for air warfare. He would bring to ACC his experience as a career fighter pilot who has spent most of the past four decades in the Pacific, as the U.S. military views China as its top strategic threat.

He is set to succeed Gen. Mark Kelly, who has led the command since August 2020. Air Force Staff Director Lt. Gen. Kevin Schneider was nominated April 20 to replace Wilsbach at Pacific Air Forces; it’s unclear what Kelly’s next move will be.

Wilsbach was commissioned into the Air Force in 1985 and became a decorated pilot with more than 5,000 flight hours in the F-15C, F-16C and F-22 fighter jets and MC-12 intelligence plane. His awards include the Defense Distinguished Service Medal, Defense Superior Service Medal, Legion of Merit and the Bronze Star, among others, according to his official biography.

Prior to leading PACAF, he recently served as the deputy commander of U.S. forces in South Korea, commander of U.S. Northern Command’s Alaska branch, and operations director at U.S. Central Command. He joined PACAF in July 2020.

ACC oversees more than 156,000 personnel across nearly 250 locations around the world. It supplies fighter and intelligence-collection aircraft, cyber warfare specialists and more to commanders in North America, South America, the Middle East and Southeast Asia.

The command is beginning to retire hundreds of its older aircraft after decades at war in Iraq, Afghanistan and Syria, and hopes to build a more flexible and technologically advanced force for the years ahead.

The Pentagon also announced Thursday that Maj. Gen. Linda Hurry will pin on a third star to become the deputy commander of Air Force Materiel Command, the service’s acquisition and maintenance hub. She currently serves as the logistics director at Air Force headquarters.

It’s unclear when their nominations might get across the finish line. Hundreds of military job changes are on hold in the…

Source…

Another year, another North Korean malware-spreading, crypto-stealing gang named • The Register

/in


Google Cloud’s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.

“Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime,” states a report on the gang released on Wednesday.

The report observes that APT43’s activities have sometimes been attributed to actors known as “Thallium” or “Kimsuky” – such as the 2021 attack on South Korea’s nuclear research agency.

That raid is typical of APT43’s activities. It aligns with the gang’s goal of strategic intelligence collection to keep North Korea informed of its foes’ activities and capabilities.

APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang’s favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It’s also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed “a steady evolution and expansion of the operation’s malware library over time.”

As North Korea’s needs change, so do APT43’s activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.

Those shifts have seen the group attack different types of target. But Mandiant’s analysts believe it has an overarching purpose of “enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other countries’ foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions.”

APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren’t its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.

But the gangs don’t operate in isolation. Mandian asserts “APT43 has shared infrastructure and…

Source…