Analyzing State-Sponsored Malware on macOS | JNUC 2023

Discover the intricate workings of malware developed by the Lazarus APT group, including the BlueNoroff subgroup, with a focus on various high-profile attacks and malware tools.

Ferdous Saljooki, a Senior Threat Researcher at Jamf Threat Labs, delved into the sophisticated world of state-sponsored malware in his JNUC presentation. He focused on the notorious Lazarus APT group and its subgroup, BlueNoroff, known for their complex cyber attacks. Saljooki highlighted several key malware campaigns, including the 3CX and JumpCloud supply chain attacks, as well as the RustBucket malware and JokerSpy spyware.

Saljooki provided insights into setting up a malware analysis environment, mentioning tools like MachOView, Hex Fiend, and Wireshark. He also discussed virtual and metal environments for analysis. The Lazarus group, a North Korean state-sponsored entity, has extended its attacks to macOS, engaging in espionage and cybercrime. Their Operation Dream Job campaign involved spearphishing with job-related decoys in the cryptocurrency sector.

In discussing supply chain attacks, Saljooki explained how Lazarus compromised 3CX's build servers, leading to malware-infected software builds. This complex attack involved multiple stages, from checking session log files to extracting and encrypting data for communication with the command and control (C2) server. Similarly, the JumpCloud attack saw malicious code injected into an employee's system, establishing persistence and installing backdoors.

Saljooki also explored the workings of the BlueNoroff group, focusing on financial targets. He detailed the RustBucket malware found in a PDF viewer and JokerSpy spyware that targeted a Japanese cryptocurrency exchange, demonstrating the advanced capabilities of these state-sponsored actors. The presentation offered a comprehensive look into the tactics and techniques of these sophisticated cyber threats.