Kaspersky, a cyber-security company, has discovered a new type of malicious loader, which is a malware that loads and executes other malicious code, in this case, a Trojan, on the system infiltrated. This new loader targets macOS users.

The Trojan loader's alleged connection with the BlueNoroff APT group is alarming. It poses a serious threat to users from Russia, Poland Norway, India Mexico Australia Peru and other countries. They are also known for their affiliation with the North Korean hacking group Lazarus. This group is notorious for its high-profile attack in 2016 on Bangladesh's Central Bank.

Lazarus Group strikes with Telegram phishing attacks

Kaspersky described BlueNoroff in 2022 as "a mysterious group that has links to Lazarus, and a financial motivation unusual for an APT." The hackers, Kaspersky noted, "seem more like a small unit within the larger Lazarus attack formation, with the capability to tap into their vast resources, be it malware, exploits, infrastructure, or other forms of attacks."

BlueNoroff, although discovered in 2017, had its first sample dating back to 2016. It was also recognized as a Windows-specific malware.

BlueNoroff launched SnatchCrypto after a series successful attacks against banks. This campaign now targets individuals and businesses involved in activities relating to blockchains, smart contracts and cryptocurrencies. Even those who have an interest in the topics, but lack practical experience with these technologies, can become victims.

Cybersecurity experts are still unsure of the exact method used to distribute the ZIP-archive loader. Cybercriminals could have used email as they did in previous campaigns, according to speculation. The ZIP file that infects machines with the Trojan contains a document named "Cryptoassets and Their Risks for Financial Stability."

Kaspersky says that the executable, "EdoneViewer," is written in Swift. It has versions for Apple Silicon and Intel chips. The main function, "CalculateExtameGCD," manages the decryption of the payload, using unrelated messages to obfuscate the process and reduce analyst vigilance.

Most anti-malware software can now detect this Trojan.

Kaspersky highlighted in a previous report about the hackers that "if there's one thing BlueNoroff excels at, it's the abuse of trust." In the report, it was stated that "BlueNoroff exploited business communications including internal conversations between colleagues and interactions external entities, throughout its SnatchCrypto Campaign."

Kaspersky 2021's investigation revealed that members of the BlueNoroff group actively investigated and monitored successful cryptocurrency startup companies. The group's goal was to "build an interactive map between individuals and identify possible topics of interest."

They can then execute sophisticated social engineering techniques disguised as everyday interactions. They use lures such as fake Google Drive notifications and forwarded emails to convince victims to open malicious documents. Kaspersky says, "BlueNoroff compromises businesses by precisely identifying the people involved and the topics that they are discussing during a particular time."

Read the interview with KyberSwap Hacker: "Might makes right"

BlueNoroff often used Word documents and zipped Windows shortcuts as vectors to infect malware. The hackers have also used PowerShell scripts and Visual Basic Scripts in the past to perform diverse functions, including file and directory manipulation, registry manipulations, process manipulations, command executions, data theft, and configuration updates.

BlueNoroff has shown patience in some cases. They waited for several months before they were able to steal cryptocurrency. Hackers were able to use compromised systems to collect credentials and manipulate browser extensions such as Metamask. This allowed them to intercept cryptocurrency transactions and drain accounts.

Kaspersky is warning macOS users about the recent detections of cracked applications being distributed by unauthorised websites. These applications are loaded with a Trojan proxy.

If you download free versions of software, there is a risk that the.PKG installer contains post-installer code. These scripts are then executed after the installation of the application, resulting in the replacement or specific system files, and giving hackers access to the compromised device.