<— Back

Lazarus and Bluenoroff: New and “Rusty” Tricks for macOS

The notoriously flamboyant Lazarus threat actor group linked to DPRK has been targeting macOS users for some years now, employing various innovative techniques which successfully circumvent macOS’ relatively robust in-built security. There is much to be learned by the researcher community by keeping a keen eye on the technical evolution of the group’s TTPs.

The recent 3CX supply chain attack uncovered in March 2023 involved the use of infected dynamic libraries (dylib) packed within a signed-and-notarized application. Further back to last year, we saw the use of bona fide developer-signed Mach-O binaries in Operation Interception and the distribution of fake cross-platform electron-based cryptocurrency pricing applications in their Trader Traitor/Manuscrypt campaign.

Interestingly, a supposed sub-faction or splinter group of Lazarus, named Bluenoroff, has been held responsible for the April 2023 Rustbucket campaign making use of rust-based malware, a specially crafted PDF and a fake PDF reader to launch it.

All these campaigns have multi-stage payloads with forced C2 communications at each stage to retrieve the payload for the subsequent stage. The resultant longer kill chains imply that Lazarus/Bluenoroff do not want their precious weapons to be lying around just anywhere. The precision in terms of time and place for payload deployment complicates the analysis process and makes it harder to figure out their specific agenda. They are becoming more selective in terms of their targets, thus further reducing visibility.

This presentation will reveal the diverse range of recent macOS campaign TTPs of Lazarus and its offspring. We shall also explore potential counter tactics to head them off based on our analysis of the various levels of the attack chain.