New ‘SpectralBlur' macOS Backdoor Linked to North Korea

Research findings have been published by threat researcher Greg Lesnewich, who unpacked a new macOS backdoor dubbed ‘SpectralBlur,’ potentially linked to North Korean actors. Initial samples of SpectralBlur were uploaded to VirusTotal in August 2023. However, the backdoor was able to remain undetected by antivirus solutions until recently. Taking a closer examination, Lesnewich concluded that the malware packs typical backdoor functionalities including file upload/download, file deletion, shell execution, configuration updates, and sleep/hibernate. SpectralBlur is also capable of retrieving commands from a C2 server, which Lesnewich states is performed over sockets wrapped in RC4.

Security Officer Comments:
One of the notable features of SpectralBlur is that it is capable of erasing files after opening them and overwriting their content with zeros. According to Lesnewich, SpectralBlur shares similarities with KandyKorn, a macOS backdoor that the infamous North Korean Lazarus group employed in an attack targeting a cryptocurrency exchange platform. Although KandyKorn and SpectralBlur were constructed by different developers, Lesnewich notes that both strains are built based on the same requirements.

Suggested Corrections:
Although the infection vector for SpectralBlur is unclear, in the past the Lazarus group distributed KandyKorn by convincing victims on Discord to download an archive containing malicious code that would lead to the deployment of the backdoor. As such, users are advised to be cautious about messages from unknown senders that contain links or attachments.