SpectralBlur Backdoor Comes With a Varied Malicious Toolkit

Researchers in cybersecurity have uncovered a novel backdoor for Apple's macOS, identified as SpectralBlur, which coincides with a known malware category associated with North Korean threat actors. According to security researcher Greg Lesnewich, SpectralBlur is a moderately capable backdoor with functionalities such as file upload/download, shell execution, configuration updates, file deletion, hibernation, and sleep, all based on commands from the command-and-control server.

This malware exhibits similarities to KANDYKORN (also known as SockRacket), an advanced implant functioning as a remote access trojan that can take control of a compromised host. Notably, KANDYKORN aligns with the activities of the Lazarus sub-group, BlueNoroff (aka TA444), leading to the deployment of the RustBucket backdoor and the ObjCShellz payload in the final stages of the campaign.

SpectralBlur Linked to North Korean Threat Actor

Recent monitoring indicates that the threat actor has been merging components from both infection chains, utilizing RustBucket droppers to deliver KANDYKORN. These developments highlight the increasing focus of North Korean threat actors on macOS, particularly targeting high-value entities within the cryptocurrency and blockchain sectors.

Patrick Wardle, another security researcher, provided additional insights into SpectralBlur's workings, noting that the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia. The functional resemblances between KANDYKORN and SpectralBlur suggest the possibility that different developers created them with similar objectives in mind.

What distinguishes SpectralBlur is its efforts to impede analysis and avoid detection, utilizing grantpt to establish a pseudo-terminal and execute shell commands received from the C2 server.